23542300x8000000000000000595059Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:50:58.709{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45EF5D356E100FB9B3176FC492A5812D,SHA256=67C05B2F1D1B112FAF866BE69488A601DBCCE1F9DE037D940CEA5801757C2B05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648770Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:50:58.436{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=985BBBD9883FB27987D124BA817E3804,SHA256=12E0F819164FF15A068BE1E19B19562DD50BB224ED27176DEEE978294F667EAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595058Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:50:58.225{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33CC16319793AE9F84AE64EA5D56C30C,SHA256=A530D695BFA6E71C53C6E6DE3F3E8B13E7D9FBCFDE16C4AC8F130CF4A8138269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595061Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:50:59.741{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF78E7ED2E2F0E6E77B8E0C0ED8D7A82,SHA256=E23C6A61A62398CB437DE6FA67BFDF4B4B987E4C0DE960FE4FACCEB2831A10CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648772Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:50:59.436{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D76A77044B8C5271B0DCBADECD28137,SHA256=DDC94081719F1240A46BD1EB8241F311138F0B17B16E249497F39BC3FCF07B6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595060Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:50:56.040{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49741-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000648771Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:50:59.076{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82F50789B323F6E9C50B9EFA9C3E9BE4,SHA256=E16B4D4C1C0037FFC00F0DFF3531330931FC29CCE4EE626CB2E0BC565F72689C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595063Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:00.741{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=714B0E66D12D0CD894096BA21C6DA2F6,SHA256=0709F52D5AF233B0CC5326ED9A56DD8981B934982FEBC57F8CB220F22C004BA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648776Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:00.436{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41026417E2E001A2344C3E4871DB40FF,SHA256=DC39CF12890CE20DA7193ADE8CF2B40AB9F2C25F3D65DA8F8E889C86E6B167DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595062Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:50:56.837{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49742-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000648775Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:50:55.647{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49795-false10.0.1.12-8000- 23542300x8000000000000000648774Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:00.342{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBCDD570C42203144ECCDB21DB576E98,SHA256=AD5556240091B54A8526856720CA9BB7F5EA69AED2552CBE790DDAC2D0ED020C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648773Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:00.201{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648778Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:01.607{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD8D7B53F657863E176ED1C47361B30F,SHA256=E85B22F7D0BA4729F643F6F2AEDDC380AD00A0A1A9E4E8EF3D729F827828D4CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648777Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:01.451{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6A9CEB4DEDDB3AEA4C1BA6060F2035B,SHA256=AFE9AC7CAEC1419A0D7DF020B31929597FC9B8C607F7E6594374BC2BBD1CC5B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595065Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:01.881{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D5248E43CD0665C041233A21B885045E,SHA256=03320D18AEDAD15A8690D40E0886C922B9E18C951EE709A02D626E7F452AA38F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595064Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:01.772{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E4F2A49B5E9AE4B3AC9C48931AB19C8,SHA256=6DF70C7450707CCDBA39CDF93C45BBD24000B6F0AB3FE8BDC1CA905639B54049,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595066Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:02.787{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B4B04E9DD59BC339C76B612D7A914B0,SHA256=796F3A7D2837C04A7168D3FDDC8EA7CFD8C322EDB2F3FB4EC2B8CFFBA017D535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648781Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:02.748{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB663A4AECD942E23885880C4CBD49AB,SHA256=AB096FF29F068320AD791489C264E9170EF738DA8B5B4B9C5ECB8E22AEF2C0E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648780Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:02.467{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7028BAB2159182D04AAF3CBA4F7AB752,SHA256=165B0E27F93F6DE889A15DDB24492E0BE899A4B08BA61B883EAE0DAC48867AEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000648779Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:50:57.709{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49796-false10.0.1.12-8089- 23542300x8000000000000000595067Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:03.803{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD22AD3C322D1E72876C0A4AFBE347EB,SHA256=9FCAD0E10FC3E7AF6C96194A0C7AA4FD2262A0BDBCE513F20AEA487C017F57CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648783Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:03.904{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C9F728AEE9DD8CBEC87B1DE0582C6F3,SHA256=9F5462FEB334DFD25A5F18D7BBD566C9982403F7880386349E9457676A320177,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648782Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:03.467{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=717DAD3A67ED79F8A8A952AF7E67891B,SHA256=95DAB9FA88FDB530448F78F0AC9F57A0A50E679A691AEC8BD93AC2F079436E23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595070Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:04.866{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98E896609C3C343E5DB8AB99A32DE718,SHA256=696D7769B4060BFD1B7959B6FCD5CA20E0358B4C9714B87EDC079CB94D577B68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648784Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:04.467{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52EB5583421F6E267EF31C54E2D29802,SHA256=80326389086B86BBCC2DAA265B83A0CF536BBE6E1859EAE0A3B2B506298F6900,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595069Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:04.084{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=999BE1AA2581BEA1EA955870D17D2476,SHA256=8F38D5FDFE414B5874BCF0E544116E897C62A37A515009BB75C51D9723D1F6BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595068Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:04.084{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9991BCAA9C0CD92C4E47AF4D825FEF8,SHA256=52B79D4215F988BA9714ABE11FB5E291FC95A77EEC174E5C96D93154F1B9BBF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595072Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:05.928{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB15ABB4031621D27928D8A7BD735017,SHA256=050F4E052B549CE5F6BC394774883C01C75BC1AF5E2CD7F0632DEB651F1106D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000648794Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:05.701{D419E45B-78A4-60B6-BF02-00000000C401}397632C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648793Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:05.701{D419E45B-78A4-60B6-BF02-00000000C401}397632C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648792Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:05.701{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648791Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:05.701{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648790Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:05.701{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648789Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:05.701{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000648788Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:01.522{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local49797-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000648787Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:01.522{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local49797-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000648786Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:05.482{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5DD1E5774EFBF5F638DDED8CA7470F8,SHA256=344C8DF33DC406E8A0A53F9E5C121F09A04F7B60E0DAE766E35D197E6B126559,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595071Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:01.901{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49743-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000648785Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:04.998{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B10067232A13DF9DFAFEB8A256966EE4,SHA256=DBF67A3A90DC9C7F9B5A552EF1AEBA325283B01AF56864F449CC8DAE48387042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595073Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:06.944{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=356FDB9CDE919E4543E0B712C3BBE1EF,SHA256=3BF31B124C46963B90B2981C1FFADE4ACCAF2273FDEEB7051C602DD0987151C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000648803Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:06.607{D419E45B-78A4-60B6-BF02-00000000C401}397632C:\Windows\Explorer.EXE{D419E45B-78CF-60B6-0E03-00000000C401}5960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648802Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:06.607{D419E45B-78A4-60B6-BF02-00000000C401}397632C:\Windows\Explorer.EXE{D419E45B-78CF-60B6-0E03-00000000C401}5960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648801Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:06.607{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-78CF-60B6-0F03-00000000C401}6080C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648800Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:06.607{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-78CF-60B6-0F03-00000000C401}6080C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648799Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:06.607{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-78CF-60B6-0F03-00000000C401}6080C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648798Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:06.607{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-78CF-60B6-0F03-00000000C401}6080C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000648797Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:01.616{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49798-false10.0.1.12-8000- 23542300x8000000000000000648796Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:06.482{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF1B092C496D38AB31843BF893450C33,SHA256=DD8D8145855491462F38E8725D29D6DD59DCDBE5768A5D3A29934A0A3371421B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648795Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:06.139{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8344DA0F03700225DE5F19EA2CD1E207,SHA256=FA92527EC45E3726F41F41ED0C1BF437416CE1BC029CAA13EE1AE37E520123A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595074Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:07.959{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=267D4CF6BC11C159E85465ED849FB894,SHA256=6AFAE82900A1B0019FC08652B0DE5E5641BCDE01A24F388AD8B0E67FDD1F27FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648811Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:07.623{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A68058A2C9C70356ECB810AA8A55B4E,SHA256=C06EC709988418C8725D0294442FEFF417C401133EE40495C5FD420068D14F76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000648810Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:07.404{D419E45B-78A4-60B6-BF02-00000000C401}397632C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648809Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:07.404{D419E45B-78A4-60B6-BF02-00000000C401}397632C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648808Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:07.404{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648807Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:07.404{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648806Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:07.404{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648805Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:07.404{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000648804Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:07.404{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9140D54A6F4592CE08D30B83B95F7A6C,SHA256=EFC6B1D22B6DCFD28ADC7113EB324912B328DC58B275EDA1923DAD4F6056458F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595075Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:08.991{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D578BC9F0938A963302AB182B3ED181,SHA256=FF07A9BB44AF30C1577FB52AF6D61269BD036FE6A569A844E4C6DD735579F54B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648813Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:08.686{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19F12D2E6D6E9E07DB6FA22C377ACD38,SHA256=85631B00402F4CA18B665FC3DDFCB628BA5C801FED84F39D6CEFEAF62E183BBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648812Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:08.654{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=444E7D32F1D817221271C97A17AAF129,SHA256=A01F931E563DDBC87510F277726713ED84D27D652E53F7ACFDA3798536FA25E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648814Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:09.748{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A84DB7A692D7F484D271748F7B90DFC,SHA256=F58B76D086CFF71E930F4DE69674E1FF5C81DCDDBA13E3604D620F334B961D15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595076Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:09.991{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B99B983DE935E41377B72CAC3F48B2C2,SHA256=84E61480B4050B59C80BFB727BBF4E5B75D174CB0ADA5F1DB7A9D9068A5C4F20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648816Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:10.779{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45556A14A12BC2F67960B544C2562292,SHA256=960CBC1F62791B7BF607E6AA57403E593969C6BE5D272AAF01F923CA107CBDAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595081Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:10.991{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12D2494EECC23C882F8DA1DED82A23AB,SHA256=5B8AF5B0D4632ACAACFDABB5948F34BEE73BADC95650F390D453FFAC1F81E395,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648815Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:09.998{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E94B56AA682FFA269872540E8365534C,SHA256=27DAD1BF18CEAFE9D2C1601616C4145D9EB71374FA9EE4E1E4984DC904490D5D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000595080Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 13:51:10.928{97C2ED32-772F-60B6-1100-00000000C501}984C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7587f-0x82cd14df) 354300x8000000000000000595079Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:07.931{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49744-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595078Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:10.131{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA1E6535B5C5D81A16A87014B84856AB,SHA256=57AD61D5F46EF5A281B659A72C5DD71DF6852C5BE0B883359BF26E894F9C7EC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595077Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:10.131{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=999BE1AA2581BEA1EA955870D17D2476,SHA256=8F38D5FDFE414B5874BCF0E544116E897C62A37A515009BB75C51D9723D1F6BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648819Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:11.904{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B67B6EAF49A650EC9F6950F668FDDE,SHA256=DDDC8676910E8FBCFB11CDAF52D56F5EF0AA8B94B88583AE76CF86224A6C70B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000648818Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:07.647{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49799-false10.0.1.12-8000- 23542300x8000000000000000648817Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:11.123{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=806FE827AA1D97B969A029384AC65E57,SHA256=21842576ED0C266D1F4803393EED9A4A4018C4F689605678DE03669D696FA868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648821Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:12.967{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCD392496489D15390A92CD2AD573284,SHA256=7EA029A50036A2D42AD1EB2328618DA7BFAF8FAD0D7A71AB72F4561395DB5075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648820Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:12.201{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8A1CE1D068A3677B36C1A71BF4B3ED2,SHA256=11DF8F535ED2A9F3288A1E1C9B35D3FC4F5FBAAC49297461DB13F6E98CD21FB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595082Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:12.022{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8947ACAD4F1D7CB9C50CAAF0B1E2FEA8,SHA256=4060E89A6CF412BAC44C62B8BAE4B1DD22D06A90114ED45240994A60DB1446F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648831Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:13.967{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C40B366183CC4BAC5F8198375CC6FC6,SHA256=B5FB740B40B62A3D29F95265C709E7C596D3780E4408A520A8281606D3DB67E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595083Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:13.037{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=188D35DB6845105DFFC8AE2DBD3DA4D2,SHA256=BC71480D5580D1144F870DE5DD8C66B3681581BB3B0C97E0B0DEB9851E5330B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000648830Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:13.826{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DE51-60B8-5F4E-00000000C401}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648829Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:13.826{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648828Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:13.826{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648827Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:13.826{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648826Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:13.826{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648825Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:13.826{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-DE51-60B8-5F4E-00000000C401}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000648824Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:13.826{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DE51-60B8-5F4E-00000000C401}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000648823Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:13.812{D419E45B-DE51-60B8-5F4E-00000000C401}1420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000648822Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:13.342{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4E2A102BA874C87B9C0E7BA0270867E,SHA256=F0E7DBC6BF46A712BD5AB97753D66C3C88D99DA739FFAE3370DCAFFF549A360F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595084Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:14.053{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C5D52AAEC446F8C264ABC1C375A3372,SHA256=47E7291F753B1A4EECC7DFCCD2F6A7FD5EFF8971D574F8197AEBC0E540BF6B12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000648841Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:14.670{D419E45B-DE52-60B8-604E-00000000C401}35846860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648840Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:14.498{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DE52-60B8-604E-00000000C401}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648839Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:14.498{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648838Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:14.498{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648837Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:14.498{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648836Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:14.498{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648835Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:14.498{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-DE52-60B8-604E-00000000C401}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000648834Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:14.498{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DE52-60B8-604E-00000000C401}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000648833Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:14.499{D419E45B-DE52-60B8-604E-00000000C401}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000648832Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:14.482{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EB3D2A1DA0B0E23D12759104BC4F7BB,SHA256=CE1E4DB3D6C424D7AC4CDB2D237C3D80401E1A4C8C1B65D1E1178CA1D9CA420F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595088Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:12.993{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49745-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595087Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:15.194{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F112CE5F47605F44CFB643AE600FB961,SHA256=177C1C9188320A219F5675E499DFDE15E9E22614BD475737D198C2D6D42B56E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595086Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:15.194{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA1E6535B5C5D81A16A87014B84856AB,SHA256=57AD61D5F46EF5A281B659A72C5DD71DF6852C5BE0B883359BF26E894F9C7EC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595085Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:15.116{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA2C7BA0E9FB5548C8F75C0D7EB87CEB,SHA256=B52143B15A683343CB00398917032F481D73BA6B3E9BA39D9ECCB93D232BA664,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000648861Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.873{D419E45B-DE53-60B8-624E-00000000C401}19206916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648860Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.717{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DE53-60B8-624E-00000000C401}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648859Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.717{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648858Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.701{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648857Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.701{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648856Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.701{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DE53-60B8-624E-00000000C401}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000648855Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.701{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648854Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.701{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DE53-60B8-624E-00000000C401}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000648853Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.704{D419E45B-DE53-60B8-624E-00000000C401}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000648852Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.529{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D98E3F36B87E575B4772BD820AC0F125,SHA256=395383B1A1E0A3B7E95EABBEF2C1098E2605E51DC71A085EF30282E78B1F2284,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000648851Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.295{D419E45B-DE53-60B8-614E-00000000C401}50366780C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648850Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.092{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DE53-60B8-614E-00000000C401}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648849Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.092{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-DE53-60B8-614E-00000000C401}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000648848Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.092{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648847Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.092{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648846Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.092{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DE53-60B8-614E-00000000C401}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648845Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.092{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648844Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.092{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000648843Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:15.078{D419E45B-DE53-60B8-614E-00000000C401}5036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000648842Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:14.998{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8AC064DAFC06556DD269DCC48116486,SHA256=2B439BF6D0AFB5348305E81976F80CA36016176F6D1DC38E754AB8AF346DE191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595089Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:16.131{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AAC96958EAA1093C4C35B9E7F5222E6,SHA256=E1A2839BF9BD116505CE3880E67B09BBB238B12EC9E1B2504974E2FDECD60D7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000648871Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:16.600{D419E45B-DE54-60B8-634E-00000000C401}46881076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648870Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:16.412{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DE54-60B8-634E-00000000C401}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648869Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:16.397{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648868Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:16.397{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648867Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:16.397{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648866Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:16.397{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648865Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:16.397{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-DE54-60B8-634E-00000000C401}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000648864Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:16.397{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DE54-60B8-634E-00000000C401}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000648863Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:16.398{D419E45B-DE54-60B8-634E-00000000C401}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000648862Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:16.014{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D58EEFF381C13B47850EE69F233450D6,SHA256=851B9C9140C04A7C9A18B75429325C7012CA87251915A55936469DB5724791C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595090Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:17.139{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C450F5769AD062A5B2F1CA77B23A43D8,SHA256=A5D798FFE9B8FD8C567DA293F7A002FD83AFD5A67ABCFA9B268590A607B97E23,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000648890Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:13.569{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49800-false10.0.1.12-8000- 10341000x8000000000000000648889Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.740{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DE55-60B8-654E-00000000C401}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648888Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.740{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648887Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.740{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648886Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.740{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648885Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.740{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648884Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.740{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DE55-60B8-654E-00000000C401}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000648883Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.740{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DE55-60B8-654E-00000000C401}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000648882Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.741{D419E45B-DE55-60B8-654E-00000000C401}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000648881Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.194{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D2969B68F9E1F06FC1D3DEC183D57AF,SHA256=DCB6F8EA7846E22CE982F16119D8EA8522A49C06C0243D5D3A21B653AF75D062,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648880Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.194{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BD30B9BB96FE4D2FC3F269AA23FD9EE,SHA256=FCFBF72426E75D432984666DE05BD9EC782DBA6D611127D006242DE2A75F2E3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000648879Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.084{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DE55-60B8-644E-00000000C401}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648878Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.068{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648877Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.068{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648876Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.068{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648875Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.068{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648874Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.068{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-DE55-60B8-644E-00000000C401}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000648873Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.068{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DE55-60B8-644E-00000000C401}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000648872Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:17.069{D419E45B-DE55-60B8-644E-00000000C401}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595091Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:18.155{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64FCA5344EBEEC4C6691B40B25EA7174,SHA256=121E13CC97B0B0A69C60881AE35E0CBBD0048D5780854AFB2840DAD52658D56D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648892Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:18.350{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6309F836D90779D9BC32A7492625AC94,SHA256=CDB18316A284856F380F39C350CB12E35AC8A0929971D0CAC691906EB519EC8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648891Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:18.334{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7460CE2370187C60D1D4E28D6A362844,SHA256=B4A47A335E30266FDBC66C8EE043F852277EB09CE150FB9EE405E072811DA93F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648894Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:19.506{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AB71019F91E73E0FF814E9C18AA7F71,SHA256=8D0CD25D146388B2ACFF90F0EDB7FA28F0CB235E92F6D604C8525F265F93EE10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648893Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:19.366{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0C60B854B7648D289C0FF73BDA48D29,SHA256=79F9D3E90BA96D0C6952577A9B8F5347B418B140C3639344F9A07CADFF8956CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595092Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:19.170{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=157B495E3BDD32CCBF809DEB785BE3DF,SHA256=DAF123A1AA756F62CF1438B0166D0409078C55CC53706D695F200EBD70D0A76B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648896Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:20.647{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E7FE44B379F7AB6DA3276BD202441DB,SHA256=2D42AA68B5E2864B7C23BFE3A5FBD443CA216FBF03D4A56519455F1BF7A84D35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648895Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:20.381{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21715F309A36096CF626E328F3401F7F,SHA256=B4434DCF1C385E773593768A71BDD17810B5E2C338CAC2424924508EB5E40E9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595093Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:20.202{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27518F35EE733D4A2A0E6494595BA21B,SHA256=84E6D3D37296D6442D6A8734DBD0F3A8DC845794FADFD2B3771F61F3EED6E74C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648898Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:21.787{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44DD82C6C436C7D115F00225C71DB2A7,SHA256=027A6D9D4680478DBD14CB70620CDF80727AE526F35DC529A6B36FC307BC0CB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648897Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:21.397{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=055316202FF7D7F780136C30C22B2AA3,SHA256=E14C0C9575216A8248CDD1BE3221EAD842E64C5B6AB3D451DDE849AEF5270F59,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595097Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:18.908{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49746-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595096Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:21.249{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F39025D1F0BCEB1653929BC42A0B842,SHA256=5DC506F7549F34C21886F8D4FDA20F5310DEBE81853CE3BE174EA5B17A5CE608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595095Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:21.249{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F112CE5F47605F44CFB643AE600FB961,SHA256=177C1C9188320A219F5675E499DFDE15E9E22614BD475737D198C2D6D42B56E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595094Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:21.233{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A7610D2BA47557E983A9AD752E305F1,SHA256=E7CA19201A7B00616FBDA88D5A0BE220D2BF46F40FB3D23BB7CF4B21690D58BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595098Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:22.233{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C392ECB669DBD213E02D690F6BA8373E,SHA256=FCFAE1286FF4EDCFE5D044C6B3C92EBD6A7EB318BBEA5BA9743044BE9A6D85A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648900Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:22.819{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E8BE34E58F53F7B308560849F3D9607,SHA256=0605FC47049FE9ECEBD08D74BDA7B7FFCA7DAB151E62BFB503D7F9026CCFA713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648899Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:22.444{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D2A4AE8952DF04591DC1A3D7F931DD2,SHA256=B8C9F64EBCB7A223037A71D8FB10E8FB6B76CE640334ADEED38C05930B0FAEEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648903Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:23.975{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D8803EB028F90B5C367DA254443A6A4,SHA256=6BDBE1E58305C3DB8D5DC9796FC55B70A2D1A2296B6C9DFFF4DF9F7C7C34A8E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648902Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:23.475{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB15866F84729F17E9359B86B6A10B3C,SHA256=622E9615ED16C1CF90739D3E5D8625822F0D065429DB687F290080FBADD7D5A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595099Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:23.233{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B5FABB36A46A73B7E8BBBEFD191E7F5,SHA256=189C52C8FC8F810E55A540F06DC35791ECF469809D801AF50A54FBA67D9771EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000648901Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:18.733{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49801-false10.0.1.12-8000- 23542300x8000000000000000648904Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:24.490{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84E8208729F87724D8AADE9856B8BC4C,SHA256=B643330681BE22D721112B53F6189742CDC49715110E50140AC2944A32D49C18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595100Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:24.264{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BE36B185F4863391F2DC60997FEB4C1,SHA256=96C7D99D987DDBFA5CD1FE89E39BEF66773C39F49B14B7031F11453942D5B426,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648906Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:25.506{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D10FDF10BDD7B220F16B4C75DEE1F7F6,SHA256=2EC775A3952F520A13571B87C5F1D2F0003DE050F5A27DBAFB8F2BB447F8AE4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595101Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:25.280{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA0B0A7A1969CAFA82C9C6EADA1E06B1,SHA256=CCBE147D3CB5BC7A71A71D54365F4F6F2E070C952DD4E642A36BC195688F9976,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648905Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:25.225{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37B7180769E423EF58FC64B7BC016794,SHA256=1E3EFDB8541179ADCE704B4F545D374FA60F8B8FCEA1A23327C0D770CAD4497D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648908Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:26.709{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6937CBCCF382FE2F4206191179442A56,SHA256=304AD5F9F2E92F971BCB88F00C370E63A093D98A6A4D584EC19EC19146A7B113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648907Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:26.522{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9636BCC792E09E86984DF27AB3842250,SHA256=248CA1C76EE481A8DA31D8BFE9209629233C680477A4EEE64241FF2DB1F18C97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595104Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:26.280{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=785F343EA9F874030691A25FE6B13575,SHA256=59449590FCA71758BC8240E93F70BC72D61E7CFEEECD5B520CC56B51C8439828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595103Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:26.264{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5D920DF74F38FF595E4524E0E0D3522,SHA256=85434622A7ECF4332B8C4F41192B8976058D16ABD803AD0617C8DDC22D7CC965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595102Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:26.264{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F39025D1F0BCEB1653929BC42A0B842,SHA256=5DC506F7549F34C21886F8D4FDA20F5310DEBE81853CE3BE174EA5B17A5CE608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648910Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:27.865{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE27964F81A7526EDF1A2B635CF96770,SHA256=A7E8532937189882E545FAE66CC193BBE25F55B341E544AF04355BE7BDAA4309,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648909Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:27.553{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E96D5D543494CBFD9709DAF705FE63E7,SHA256=B4FEAA2C8182507207ABC6AE43224EC7E104C8776A4FF982842562BADAEDEDFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595106Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:24.064{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49747-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595105Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:27.295{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3FDB38C09790A06399E08932F7AB71D,SHA256=C03983AE0B759CB27BCF84A2B826A6385A8A9294DC2260829B62879F25A712EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648911Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:28.584{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=620CADA9F40C9A15C449FAD9EB3495B4,SHA256=677AADA612DF19EC5D9F4C40F3EBE96E2FFECD269E78DF8B3D5CCD5FFB0294E6,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000595127Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.780{97C2ED32-DE60-60B8-3F58-00000000C501}1092C:\Windows\System32\Configure-SMRemoting.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000595126Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.764{97C2ED32-772F-60B6-0B00-00000000C501}628676C:\Windows\system32\lsass.exe{97C2ED32-DE60-60B8-3F58-00000000C501}1092C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595125Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.764{97C2ED32-772F-60B6-0B00-00000000C501}628676C:\Windows\system32\lsass.exe{97C2ED32-DE60-60B8-3F58-00000000C501}1092C:\Windows\system32\Configure-SMRemoting.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595124Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.749{97C2ED32-7730-60B6-1600-00000000C501}12042728C:\Windows\system32\svchost.exe{97C2ED32-DE60-60B8-3F58-00000000C501}1092C:\Windows\system32\Configure-SMRemoting.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595123Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.749{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-DE60-60B8-3F58-00000000C501}1092C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595122Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.749{97C2ED32-7730-60B6-1600-00000000C501}12042840C:\Windows\system32\svchost.exe{97C2ED32-DE60-60B8-4058-00000000C501}3728C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595121Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.749{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-DE60-60B8-4058-00000000C501}3728C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595120Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.749{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595119Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.749{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595118Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.749{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595117Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.749{97C2ED32-DE60-60B8-4058-00000000C501}37281084C:\Windows\system32\conhost.exe{97C2ED32-DE60-60B8-3F58-00000000C501}1092C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595116Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.733{97C2ED32-9094-60B6-BC06-00000000C501}9441004C:\Windows\system32\csrss.exe{97C2ED32-DE60-60B8-4058-00000000C501}3728C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595115Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.733{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595114Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.733{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595113Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.733{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595112Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.733{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595111Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.733{97C2ED32-9094-60B6-BC06-00000000C501}9441324C:\Windows\system32\csrss.exe{97C2ED32-DE60-60B8-3F58-00000000C501}1092C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595110Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.733{97C2ED32-9D3E-60B6-7A08-00000000C501}33644988C:\Windows\system32\ServerManager.exe{97C2ED32-DE60-60B8-3F58-00000000C501}1092C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1459ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1454f0|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+fa3761|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58dd95|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+559c06|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+558e46|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+70e8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+c11a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+7ce0 154100x8000000000000000595109Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.728{97C2ED32-DE60-60B8-3F58-00000000C501}1092C:\Windows\System32\Configure-SMRemoting.exe10.0.14393.0 (rs1_release.160715-1616)Configure-SMRemotingMicrosoft® Windows® Operating SystemMicrosoft CorporationConfigure-SMRemoting.EXE"Configure-SMRemoting.exe" -GETC:\Windows\system32\WIN-HOST-236\Administrator{97C2ED32-9095-60B6-4298-3A0000000000}0x3a98422HighMD5=59EF03A3CE316E02EC6C916E86715282,SHA256=E26FE2AD8452293B4B1E957B21371693996941A4D3D2371E7E51A35892C59418,IMPHASH=C13E4B07CF35D56AB40B9BAC4947EC02{97C2ED32-9D3E-60B6-7A08-00000000C501}3364C:\Windows\System32\ServerManager.exe"C:\Windows\system32\ServerManager.exe" 23542300x8000000000000000595108Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.686{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=EBBFDE2738D1C9E9FED762F1CBF83657,SHA256=CB04DE3BF92BF291A75B4632BFC234BE80439240408911D6113120DD2FFA7BCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595107Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:28.327{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B55E5865A323D6AA1B444EA22F0CF1CF,SHA256=FEF54DDD0EE4935C13E868BE5C1A5497015D31233D7686D47C08C3A824ACBFF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648914Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:29.615{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F9C6CE768F304DED70FEF16AA5E6AB5,SHA256=1B349A07AB28FCBA2F8A35842749AE5403CE12E15ED8B495C9C02D717166625E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595140Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.850{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F36AF52899F9DF8FF2ADA69C3B5696CC,SHA256=451C7C9EE7E9420D0E721F34C5E57C2DFF463D5E85A4CA13ED4E8E509D26BE5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595139Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.850{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=877F793506A34AA7BFCA4F3314899146,SHA256=2E379D8F458F18B21D0B5723B6FBA945808D34FF3F614FAE5F2085797B333F6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595138Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.771{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595137Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.771{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595136Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.771{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595135Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.771{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595134Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.771{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595133Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.771{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595132Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.771{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595131Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.771{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595130Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.771{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000595129Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.725{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5D920DF74F38FF595E4524E0E0D3522,SHA256=85434622A7ECF4332B8C4F41192B8976058D16ABD803AD0617C8DDC22D7CC965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595128Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.327{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52A29B13ECB3C951CC83574DFD571852,SHA256=F66BE9597F9CC8A666C4FB688E48124A61A1CAD08B4F59A4A72B667D6F004942,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000648913Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:24.623{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49803-false10.0.1.12-8000- 23542300x8000000000000000648912Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:29.022{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EE1A2A8E5489D0A1B34CE5F49189076,SHA256=A1800137E90ACDD3E45477FFB2F1BA4EBC113547EC24EA810050289BA2A5D3CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648916Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:30.631{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A039134736EAE3B22831B104C2124F6D,SHA256=C0D03308A98E981604BB0C10BCE4A479A5B683327FB2E43149BFF15587BF17CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595143Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:27.612{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local49748-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 354300x8000000000000000595142Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:27.612{97C2ED32-DE60-60B8-3F58-00000000C501}1092<unknown process>WIN-HOST-236\Administratortcptruetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local49748-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 23542300x8000000000000000595141Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:30.350{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E835722A8C9D886EAD637F2DE2B1A359,SHA256=07158CB401C40FFFC0C95D3A9F1C31A0B0F1452F289C1C5D1BEB90CB53B26196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648915Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:30.131{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D70BF2655F31596A0619510155563536,SHA256=9F18C7E0B37E72E099364FF25B6957F3B1ECD83A0CA2A273523F919E9794BEC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648919Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:31.694{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7378A01D1612DD298663FD52A2D9A82F,SHA256=9C99C5E16C2A78CC33F807095963DBDCC401437B416F189D86A2ACBB0A516284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595144Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:31.378{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F560AA6479C1892651B802AC3DEFD2C,SHA256=8C923E69B9722AE196AB16D1E1DFA931DAC3335BEC9E03D52DFC869565C7DC6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648918Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:31.506{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A36049CBA90C4152B0E9FD88E633FFFC,SHA256=2E6DF80AC96A5E8F0F2E0FA839DE3BC4515FAF033B3677A70E651D0EDB179152,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648917Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:31.365{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68AE10BA37C2CA080837A4CC1EFC8D5A,SHA256=8E9830AF24609A7E28EF81D7F2FF7F9CC81C281BDB7E525D98420166F461715E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648921Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:32.710{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09AA56D346CD659464F242C7C948C3B3,SHA256=404F95B0EE76B6F7576053113B40218CD072EF7FAA092F6E92A1DCDC559D6973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595146Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:32.380{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CCF9FA16A92EE6EE79C1B3769A180E9,SHA256=1D7A12B333CD7EECC81C4D1D4048F1B926B9C21D41B35F6A89B512970AE81CFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648920Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:32.397{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19EE3028A6D43E5CE1EFE697B38C5505,SHA256=9C76C48E0D1BD78FA468017881B5EB01E8A6E865A7FD0EE0D6A3CC936DC4B435,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595145Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:32.146{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA891BD3A3F750257B3A39AA5B87661C,SHA256=E88053856A92D2B068CBD3B02E03E48D7000596CDB1AFF05271253C2E8398E00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648924Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:33.724{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=668DBCC2CF1ADFE3574FC695ED74179D,SHA256=691C467231178BF64E531E62CF3092ECF426F243283F75ECA09C82A512D6BC7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595148Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:29.943{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49749-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595147Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:33.396{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3A7909A50DE77A75FF53D14111072BB,SHA256=05C347DC5565DD86EEA851F2AA5920142F3985693E23336FEB7D9A6E65FBA72C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648923Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:33.492{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78C48561265B15B86F5120F1B828525C,SHA256=4B6903A91EDD958CD66568AC8E31AB72C6B58661AA49409AFAAEDBD5CDD588CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000648922Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:29.654{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49804-false10.0.1.12-8000- 23542300x8000000000000000648926Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:34.961{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1C9D3ADFC0427C52E9BAA8AA28115AA,SHA256=F81F0EF2B603D68E8582752E2CA0E4FA09AFCCE5DCA80CAF7FE8FF80D99E4607,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648925Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:34.758{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0338A60B9127A4E5811922B0982ED64E,SHA256=C948A02772BBF6E97F6B829A36560BA82EEEEEBDADF389440916BABA9A32F42E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595149Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:34.396{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3373C33D25516873AFBC4384A55E454,SHA256=22E44C6B3CFA7FCE4BEA68F5F72962E50DE0559CAAE357EB71C6F43D80C144B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648927Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:35.758{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A55A912F3775A82CE03AC5FBC4955046,SHA256=D5C904DA97422D8A25C7A16A2675F8F1186C18F8FFD1709F407341DD1DFA5946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595150Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:35.411{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF08B6B831AC7753962AFCD1F2989B71,SHA256=016DDB1C2B4DC65CED0378875821497CAEFCBA68D7FA3FD565AE0D67710219E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648929Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:36.764{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DE2C1B770BF49D05FC9E0765E0627EB,SHA256=AD34BD8E735CA010B0D43E37094CEE11897DCE6B3285CE08DE4BCEAE131E10F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595151Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:36.413{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA8945BF36481447A5F791F3A2CB4CE,SHA256=F548A043CA1DA59450A6E68186CC103FC63812DF422F99DC7FE483DDEC241086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648928Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:36.102{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07E5D7D6D2CA20521B4698A640B64F26,SHA256=D74AD96C6F38A1CA9A005FFEAE13E60D559567B099624B308049ACE834AC0812,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648931Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:37.873{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B64E731BCB14D8DDD4C1CA02C4EDF4CA,SHA256=2B1C0774A92C98957B46F4C6D54EAC84A7DBFB8E692245B96560C3EA5586DC2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595152Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:37.444{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D63483B147739955DDB7683232886752,SHA256=DDA7D12336BE5920C492B7B1940594037B30366552D908264803B23B3A045E09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648930Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:37.233{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34FE5FEDBD86B28E5C6EF83CA4054768,SHA256=7BF0739441DE93FC4A9CD3ADEBC949920C4BC66B84AFCC5169FBC4FD0C1F8F6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648934Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:38.889{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BEB3338C00909128A16801896659114,SHA256=E4E881C425C251927565E2B98007120CFD0250764B1C65DF263F5D525BA37DC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595156Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:35.884{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49750-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595155Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:38.507{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A43E60EB9E50E69982B9D835F6ED0C4,SHA256=1A9A801FFF5231DDBC23B627EBE15FBF8C11DD7791FFD8663895CF6F150F978A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648933Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:38.514{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=630ED712EF71948731149CC43F2025F6,SHA256=5451BA4CCC158481A4D4379B42FB5390411C5C9801CC8B71C20EE74EB0931965,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000648932Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:34.740{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49805-false10.0.1.12-8000- 23542300x8000000000000000595154Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:38.069{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14D795D9A2EC7C14349B8602FCA5CE5B,SHA256=5A64880C801C03BF200C1A52D183242F3FC8564EEC2630527AFFFD85BEB9E4A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595153Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:38.069{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9D9720E6B37D298A8514AE7730684DB,SHA256=9CDD5317CF87918551AAE5D531C65004A5A46995F117E3F42FC10896E1D60CB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648936Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:39.905{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667C76C22409732677BA38DEF0C6A694,SHA256=4D935956C19DCFBF3E530F1D66E9D7FE499CFF592974B6F7862D38E861235DEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595157Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:39.569{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B8F11B780DA00D666749D382E41D1E4,SHA256=3B49B9D5F55D7268483C3961679654CDAF7A771AAAB196CC75937B640E67CEEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648935Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:39.733{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3268E526FEBD67E64D69A8B1D93CE4D4,SHA256=D46DF7F403DC7CD709AF59CEF783BCCBF90F31465013CDBB70F27C3A4792EE56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595158Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:40.569{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F66FCFF7ACDF3DF6F4347D5B8B6FA24B,SHA256=40158D995BBEBF4B34BC3BB1009DE91B75D50184D77343F7554D73F5849E7171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648937Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:40.920{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8020C665EEBC336120176AF5F9EAFB54,SHA256=16F92D47673F4F015F3530DA31F0B9143567BCAE11CDECA9AF651D069E18956B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648940Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:41.920{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E02F8DF6ABDB28D6B2FF4C5320BC254,SHA256=C5772F779749FFCD6384FFFDF8C5DF6892734438EBB67139F01E6E4C84B74D53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595159Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:41.632{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EDB5BCA62B7702EC6E6962096B92F6E,SHA256=7551DCF8637DB92C6F8F1F73F3829F457E8B5B056A134BFEBA137499355A9EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648939Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:41.686{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=70540FA424E8C3698C3855030A674137,SHA256=3FD056E6D3CF83C85670C37ED541711D75D03E837A88A128794DFCCB6A71B610,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648938Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:41.092{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE06D5AF2AA560F42D697D6A7CB6A473,SHA256=4D69C1DCCC4505700424F240F7631F677EB4BF436EAD221DD124521AE14E3A71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648942Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:42.936{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924990F16816E658510F74F6E4367DDD,SHA256=1092A3AA4EB5FCA2C1D3FCFD40EE9B7C928CE4603F3CD9C7BEE2E393ACD1B196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595160Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:42.647{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9806B87C67D7791B0E28E80123CF96B5,SHA256=3F2A34ECD343BD9E80C55FCE7EB43360AC7FD147C66B8CE42976C3A3A3348277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648941Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:42.233{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2DD5C9F217C5EDE4E03E4C096FAB2DF,SHA256=921162201248718C127643F77ADAABC2384CED75B41EF23EA635801D48B9A4A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648945Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:43.952{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61B60FBE0D2CF7418EEFE98F8926889A,SHA256=F04203C5D91FBC5B358102A13D2D5831A88B2953D67E286ECEE067B3A911E239,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595165Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:41.073{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49751-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595164Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:43.664{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0480841E70241D44F00727BDD277F349,SHA256=D75A6A8ECFD3D416D7ED1B0F90EC3EA8998C9089871A832DDF05FDEACCACEAD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000648944Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:39.740{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49806-false10.0.1.12-8000- 23542300x8000000000000000648943Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:43.248{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CE6975592BA9B899FCAD1B861206044,SHA256=7CF5C5B2691CB7CD6E02F860D8CEB0640F28D6536BCF80CC62F3C5A0B24A3580,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595163Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:43.335{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-772D-60B6-0100-00000000C501}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000595162Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:43.257{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01083638B9A949EB5AAE481580CED864,SHA256=29F9E465DE56C62512D06E3BB10E7BA1A3F3548D010E20ADDF07B28205D53881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595161Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:43.257{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14D795D9A2EC7C14349B8602FCA5CE5B,SHA256=5A64880C801C03BF200C1A52D183242F3FC8564EEC2630527AFFFD85BEB9E4A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648949Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:44.967{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9368CC78C44642BB732E92EFA202977,SHA256=BC659B5E149295C52F843A4786AA830DA23D2E63D31B627E5912B70B8CEC8729,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595170Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:42.169{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49752-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000595169Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:42.168{97C2ED32-772F-60B6-1400-00000000C501}828C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-236.attackrange.local65172-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal53domain 354300x8000000000000000595168Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:42.168{97C2ED32-772F-60B6-1400-00000000C501}828C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:3039:5f36:2821:222a:9ae:ffff-65172-truea00:10e:0:0:0:0:0:0ip-10-0-1-14.us-west-2.compute.internal53domain 23542300x8000000000000000595167Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:44.680{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09687E9A093EBF6A14AA6417E9A17C77,SHA256=88086AC1F6ECC84578B1D886C2C920D1B73F135D75CEE2B957F4DEB3A611ADEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000648948Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:40.869{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal49752-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000648947Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:40.868{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-233.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal65172- 23542300x8000000000000000648946Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:44.295{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5ADB328FA6BF164F8DB4D6137C976489,SHA256=6EEA329A0E861EEFFF91D080422652227B1628EF63C3E6BEC558F65F8D2B555A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595166Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:44.336{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01083638B9A949EB5AAE481580CED864,SHA256=29F9E465DE56C62512D06E3BB10E7BA1A3F3548D010E20ADDF07B28205D53881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648951Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:45.983{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E5B4D9D70791861FDD8B8547023ACCC,SHA256=EE711E8393227B2D6C7DE99BC57D25686E5A3F8575DDDA6D29AC820E99395CB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595171Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:45.695{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D34D3ADECFC270A2384C91A861CC8EC,SHA256=6B0B0252B78FB7EF0AA425B53A042A893206EF44B1F730BD2C6A0A0665CA00CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648950Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:45.436{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E86212D30096779F7933D2E63F47BCE1,SHA256=DECD91ABA6DD06C5242021FA5C92B25D7661F3E639CBD917511AD652BCD2361D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595182Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:46.695{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9ECF3C2ABE2DFB98BF4A5A81B1BC846,SHA256=03F8378490BC7300F5246D5B7E8375F65B6BD34E50B3E7E9BEEC41B7C4EA269A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648952Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:46.811{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D499D25CF1E8E83A82D6B56FFC781BA8,SHA256=5901CEF6F1F865A2C5DAF94F69B028D420DA07634D0C4925289F13D5F755A07B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000595181Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 13:51:46.242{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000595180Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 13:51:46.242{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0963649d) 13241300x8000000000000000595179Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 13:51:46.242{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d75877-0x35c89f00) 13241300x8000000000000000595178Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 13:51:46.242{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7587f-0x978d0700) 13241300x8000000000000000595177Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 13:51:46.242{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d75887-0xf9516f00) 13241300x8000000000000000595176Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 13:51:46.242{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000595175Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 13:51:46.242{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0963649d) 13241300x8000000000000000595174Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 13:51:46.242{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d75877-0x35c89f00) 13241300x8000000000000000595173Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 13:51:46.242{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7587f-0x978d0700) 13241300x8000000000000000595172Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 13:51:46.242{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d75887-0xf9516f00) 23542300x8000000000000000595183Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:47.695{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9473CDA787CFDEDFCF911DE639587051,SHA256=B79B94DE170A5CCAB50E0D4B39226CB9C3641153D52C6CC625503A24EE2C1D2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648953Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:46.998{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FED8097E9ED0C4DB99194A8589CB1AE8,SHA256=6EFC836AA7DCC47E4C573030A4E2970B67163EE1B511898259E3964A0F46012F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595184Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:48.695{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96640354EA1B3D0A66D23590CB4F0ED9,SHA256=C670D5C66D3E448B6D55764C1DD8871E7E15B563ED4CDA4EFC6F517BBA08F392,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648955Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:48.186{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA0697728E342BF859B6F28F1D9A42D2,SHA256=AC97EDFE5FD4C351FB95AE4ADED88BE84C63011FE06F5AA4A7CC20EBC09566C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648954Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:48.014{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3746DEBE9673141FDD37B702EBA62C2D,SHA256=15A445DB60F9D87B9B8E916A6CE8B1E0FF1ED1F838DFD6BB1EC2F33858BCB9E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595195Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:49.852{97C2ED32-DE75-60B8-4158-00000000C501}7404180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595194Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:49.727{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DE75-60B8-4158-00000000C501}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595193Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:49.727{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595192Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:49.727{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595191Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:49.727{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595190Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:49.727{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595189Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:49.727{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-DE75-60B8-4158-00000000C501}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595188Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:49.727{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DE75-60B8-4158-00000000C501}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595187Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:49.727{97C2ED32-DE75-60B8-4158-00000000C501}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595186Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:49.711{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7511F49AAC6166B956DEDB2EBCA58C0A,SHA256=C7775E2A01DF8A8AFC913592343B4EB964ED916368BE5DDE9D35EC27A2815A6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000648958Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:45.772{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49807-false10.0.1.12-8000- 23542300x8000000000000000648957Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:49.280{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D330A6350264933D0ABAA4712417CCA8,SHA256=9E84FEFFCE82036F5D19CE7DFDE7FC4493015D97AD7C6576C13ECECD18C818B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648956Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:49.030{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C489AF3BA65C9D0708A39DA497B79EE0,SHA256=4805E92A9669C11DAC1B00ADDEE517764F0DE9C8B933418AB0DDEFB5A0FA35BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595185Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:49.070{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5ACD191BEB281153C343F54B08F0D670,SHA256=6FA76B52E74D34AC88C2DED7D4624484AD209ED0F68519D6F321172FFC4D1410,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595207Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:50.727{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C15DA3B57E0817A30163E0CB2D612D,SHA256=34547E6D0B96B04B93A3CFB052FE73546FB188F9CA9E1DCD65C09CD128E360B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595206Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:50.727{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E460A25AC61C15E8F4EC5CA92CD8127,SHA256=379B2145D8518A685FC8222EA9B003F5B25E784B3FEC3D1E6348AD4B1CEE88D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648960Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:50.467{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=864D143996E98127F281BCC931C82540,SHA256=5B180D3A435557B1DFB2D66C9C25A4BE0371B257AEFEA68B7F3F6B3F95CA5E25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648959Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:50.045{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1712A10B035B9514270F4423CE514CB7,SHA256=78F83BF28D096A090E578B66B76F9E2880D21DD7FA726A88CE0899EEBEE4A69E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595205Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:50.524{97C2ED32-DE76-60B8-4258-00000000C501}44164296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595204Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:50.399{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-BD90-60B8-9F53-00000000C501}4416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595203Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:50.399{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595202Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:50.399{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595201Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:50.399{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595200Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:50.399{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595199Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:50.399{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-BD90-60B8-9F53-00000000C501}4416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595198Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:50.399{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-BD90-60B8-9F53-00000000C501}4416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595197Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:50.399{97C2ED32-DE76-60B8-4258-00000000C501}4416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000595196Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:46.901{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49753-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000595225Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.742{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DE77-60B8-4458-00000000C501}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595224Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.742{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595223Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.742{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595222Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.742{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595221Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.742{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595220Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.742{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-DE77-60B8-4458-00000000C501}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595219Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.742{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DE77-60B8-4458-00000000C501}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595218Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.743{97C2ED32-DE77-60B8-4458-00000000C501}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595217Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.727{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBD720BFC091893704EE08E546EE7590,SHA256=5947D51D631B9FA7EF4CC1F9F2D20BAB46840B5F207F18470219B3FFE6BF5546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648962Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:51.748{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5EE0E71CDA32A94FD5CAF02798D42E0,SHA256=628DA347158AD913FC68D35145ED91D4BFB03B97F89505D0A572DC1C3746CA70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648961Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:51.061{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D07903F8A49AAD4984656373E924BBB4,SHA256=E39AB43BD4CB8D60102A3E1FD43948071DFE30100DDFABEA885BF7308C1F2DF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595216Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.195{97C2ED32-DE77-60B8-4358-00000000C501}34761724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595215Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.071{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DE77-60B8-4358-00000000C501}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595214Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.071{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595213Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.071{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595212Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.071{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595211Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.071{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595210Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.071{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-DE77-60B8-4358-00000000C501}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595209Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.071{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DE77-60B8-4358-00000000C501}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595208Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.071{97C2ED32-DE77-60B8-4358-00000000C501}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595235Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:52.727{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78B8DE36F2457F913C5D47218EA1C779,SHA256=2346B910F74D9DE513117D846CE6A9C076634EE8ACFA46B85070313A2ABE43EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595234Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:52.414{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DE78-60B8-4558-00000000C501}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595233Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:52.414{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595232Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:52.414{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595231Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:52.414{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595230Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:52.414{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595229Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:52.414{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-DE78-60B8-4558-00000000C501}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595228Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:52.414{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DE78-60B8-4558-00000000C501}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595227Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:52.415{97C2ED32-DE78-60B8-4558-00000000C501}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595226Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:52.086{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6133628B36EC94F8E357D6E2C6841EAF,SHA256=BFB46D82CE168DD13226DE9050AF6EA8AA1CBE0B6ECE055401C9B3B81A299994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648964Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:52.967{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBE7CBFB0F2CB506FA59FAFF022F494D,SHA256=E64E6F4E3365D1EFFCD012D7449CF71150DF270523B3108BAD1B2A84CBA08FFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648963Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:52.062{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FECAC0196DC94C5258836EFD9166D7A,SHA256=D385F83FEDEB24F6D14182F7E3C3E74FF834D31861086E9756FE32023FAF5B1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595254Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.899{97C2ED32-DE79-60B8-4758-00000000C501}43205372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595253Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.758{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DE79-60B8-4758-00000000C501}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595252Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.758{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595251Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.758{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595250Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.758{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595249Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.758{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595248Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.758{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-DE79-60B8-4758-00000000C501}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595247Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.758{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DE79-60B8-4758-00000000C501}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595246Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.759{97C2ED32-DE79-60B8-4758-00000000C501}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595245Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.742{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3632276AAB7D0674BFA4EC8F81B99A9D,SHA256=DCE45E9957446F24F87320996A526E462B2AB02B2EDE7A5E5E8BEFE25B5D33EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648965Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:53.077{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C14DADE14CECC0DBAC7723532EB7974,SHA256=6E4BFCAF549951D940154FEEAC930FCEE8E8BB119A0E16057681483FD3B819A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595244Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.446{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B8CEEA3D848E6286FB4092E27BABD7C,SHA256=0EAD732E7EB1676A864FBF2766173CA1A454A6E33FCCF73F9A5A26A4BFEB11D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595243Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.086{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DE79-60B8-4658-00000000C501}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595242Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.086{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595241Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.086{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595240Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.086{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595239Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.086{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595238Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.086{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-DE79-60B8-4658-00000000C501}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595237Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.086{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DE79-60B8-4658-00000000C501}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595236Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:53.087{97C2ED32-DE79-60B8-4658-00000000C501}5528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595256Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:54.758{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=917CE648DF35028A0F038A96A791D4D6,SHA256=738ABADAD29C6D7AF5A1EE241A666B271958697256907C54E6E752B44E136AA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595255Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:54.758{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B2B49EFEC173DD8DF00FF153A9CA3A5,SHA256=6F81C214563175D8A1778DD78092B20306891B22FAFD377FC3F4996DB247D692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648967Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:54.248{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6B2EC2D3E4FF4CD1F96BED9661060A6,SHA256=50DD91B02213D7E6A59D8AFB58EEDB708B4AE26312AEC95D028D9955DB4540EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648966Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:54.077{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47F5A1EAA440D885D15409F8E2114464,SHA256=4D59FC00017CDC1398C81665E32D51DB3C2445352CE03892D8C7703A0ECD45A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595258Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:55.758{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89DCDBE7435928802E44F171E13761EA,SHA256=28865A95338C54A906968C9CB09DEC8ACC4544C7D1C2C6632EB7F44CD7A90441,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595257Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:51.995{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49754-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000648969Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:55.420{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D543C440D3CEAA864D2F8D4847100D00,SHA256=CCED230F6EDDC9803301EE7F2FCA4E00990C483A35BBD1981D6870B58141D151,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648968Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:55.092{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F300944A61BE44EB2E03BD2DFA41D61E,SHA256=1ADF4B4500DD79CF71F355AF7DDECAACCDCDEC03A8D27B8204990C55EA309D48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595259Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:56.761{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8188D0B900F7D907AE62001C6280AF1C,SHA256=8B1F2E46E8ADAB0DFDBBB41B314262468EF20FED415C22F28C9936EFC2308312,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000648972Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:51.662{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49808-false10.0.1.12-8000- 23542300x8000000000000000648971Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.534{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5D340B7BF318E31FBB02E4E9B02A1D7,SHA256=A8C71EB92002C7AF02F20736331734DA13C4A3E89FEABFEE8B1DBDA1151FAA7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648970Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.092{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC8E7BF53F10E326C2B443226BC1F3FE,SHA256=56BA5A97202267F902E1BEC43604E6D91DCA4F9BD7244E143B8F875DC4E7735F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595261Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:57.761{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B5E174471A92968B855CB35AE2AF272,SHA256=F9CF4C517930122934DDEEF62A6BBED1D6213229EFF8912CC966254AD08CEA25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648974Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:57.799{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94C4A82A821B64BCF6F86C3615A3E49F,SHA256=62B636F021DF7DA004D70EA42B10CF6EB590D2A155C25B020BF834E03DC5152F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648973Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:57.096{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B909C3D1E82B3821402B9C280961DD,SHA256=78E58F78CBEF50BFC33DD6683DEB407E6277422979BD3CD7878A074B4506B566,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595260Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:57.245{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595263Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:58.761{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E541BBB6363361C3D8B2902056282CA3,SHA256=36D42E1D7A477048F7B4F4BDEEC7A9F170DEFAAEE4094A6AA435EDF70EE076A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649011Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.971{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649010Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.971{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649009Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.971{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649008Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.971{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649007Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.971{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649006Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.971{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000649005Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.955{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000649004Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.924{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649003Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.924{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000649002Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.893{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=004D010A5247AC911E18435353BF97C0,SHA256=C0E6238F51660F10FDA76D18A0DE8394EFDE392A979428AFEC294EEB03C05A29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649001Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.580{D419E45B-DE7E-60B8-674E-00000000C401}4812ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649000Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.503{D419E45B-7530-60B6-1600-00000000C401}1268888C:\Windows\System32\svchost.exe{D419E45B-DE7E-60B8-674E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648999Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.503{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-DE7E-60B8-674E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648998Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.440{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-DE7E-60B8-674E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648997Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.440{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-DE7E-60B8-674E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000648996Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-CreatePipe2021-06-03 13:51:58.393{D419E45B-DE7E-60B8-674E-00000000C401}4812\PSHost.132672019182057544.4812.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000648995Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.377{D419E45B-DE7E-60B8-674E-00000000C401}4812ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_gcdcmc5r.vri.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000648994Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.377{D419E45B-DE7E-60B8-674E-00000000C401}4812ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_2bidgoer.ldg.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000648993Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.299{D419E45B-DE7E-60B8-674E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_2bidgoer.ldg.ps12021-06-03 13:51:58.299 10341000x8000000000000000648992Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.268{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-DE7E-60B8-674E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648991Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.205{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DE7E-60B8-674E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648990Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.205{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648989Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.205{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648988Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.205{D419E45B-78A0-60B6-AD02-00000000C401}22846244C:\Windows\system32\csrss.exe{D419E45B-DE7E-60B8-674E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000648987Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.205{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648986Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.205{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648985Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.205{D419E45B-DE7E-60B8-664E-00000000C401}61004948C:\Windows\system32\cmd.exe{D419E45B-DE7E-60B8-674E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000648984Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.205{D419E45B-DE7E-60B8-674E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe import-module c:\temp\SharpHound.ps1C:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D419E45B-DE7E-60B8-664E-00000000C401}6100C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\SharpHound.ps1 10341000x8000000000000000648983Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.174{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DE7E-60B8-664E-00000000C401}6100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648982Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.174{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648981Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.174{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648980Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.174{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648979Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.174{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000648978Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.174{D419E45B-78A0-60B6-AD02-00000000C401}22841824C:\Windows\system32\csrss.exe{D419E45B-DE7E-60B8-664E-00000000C401}6100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000648977Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.174{D419E45B-A18D-60B6-EF0A-00000000C401}32001160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-DE7E-60B8-664E-00000000C401}6100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11de81a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1121804c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1127babe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125d95e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1124e67e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125bbc0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b732(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11240385(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1123f8f7(wow64) 154100x8000000000000000648976Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.167{D419E45B-DE7E-60B8-664E-00000000C401}6100C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\SharpHound.ps1C:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000648975Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:58.112{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA77A7B3C7EFF8ADC1663FC0928FBEFD,SHA256=83C536755EBE2E7B75517AA459DE36F4DB8D1DCD4A1FF54070ABD3976BFD60D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595262Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:58.276{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6AE19543D9B17C8A331F358B4028199,SHA256=A644B150CEF2B7CB0AE522DD0A072C52A42813D46E3B500BF03CCE7B9E80A2A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595265Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:59.761{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E583088C7A552F76044B769F57FA936E,SHA256=B27F00F1CEBCBE21A79C91819C95DE54F765F611E3D127A0A338CE19CF8D7CD2,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000649030Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:57.176{D419E45B-A18D-60B6-EF0A-00000000C401}3200win-dc-233.attackrange.local0fe80::8a7:5018:d121:bd39;::ffff:10.0.1.14;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000649029Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:59.627{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_wx0nq5il.00zMD5=7A427216FBAAD1AB6641EA318B845AA1,SHA256=760C0B1D64FCC7B229DBDF88760CE9C5946D3AECA6A755A0C06F9E3ED22985CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649028Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:59.627{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_wfyuldho.ywuMD5=1B470A6B21DC8CF7E99B5A250F76A852,SHA256=DF466F78B20C0737EB9A9F42CD09D7857F9BCCAC9B02ACE555E31A4D2B3436DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649027Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:59.627{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_hpzxallb.vi0MD5=5F619D07A23D16584AA58EEDB1DDCCDC,SHA256=9BBE6801B3B337A07A8B6DF0B52E2C4BB76EB23B35ACC78BA59041690A073EF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649026Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:59.627{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_lc5xhmwd.rxyMD5=16B8F0400C23275FB5F7BFB175F7B491,SHA256=6980226153F7317145EDF65E684F2ED03B242E37D09FD059138BFB51A26F6401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649025Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:59.627{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_2wamxuo1.5rcMD5=15200722E11C8FB935E1EB3A62BD407C,SHA256=E06941E35D85F9C7A3CF19EBC4D157BAA9AAB7FEBF4592E678EC88E2B4803062,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649024Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:59.612{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_mpgymmk0.vaqMD5=8078C8B8E62CCF450959319A920BDF72,SHA256=EB58B74E3B8EF39F459C613122399757C936A71B94221CE3B7DDBD2B179A5322,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649023Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:51:59.580{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_umiif3bs.kx42021-06-03 13:51:59.580 11241100x8000000000000000649022Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:51:59.549{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_wx0nq5il.00z2021-06-03 13:51:59.549 11241100x8000000000000000649021Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:51:59.549{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_wfyuldho.ywu2021-06-03 13:51:59.549 11241100x8000000000000000649020Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:51:59.534{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_hpzxallb.vi02021-06-03 13:51:59.534 11241100x8000000000000000649019Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:51:59.534{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_lc5xhmwd.rxy2021-06-03 13:51:59.534 11241100x8000000000000000649018Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:51:59.534{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_2wamxuo1.5rc2021-06-03 13:51:59.534 10341000x8000000000000000649017Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:59.502{D419E45B-752D-60B6-0B00-00000000C401}6326508C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649016Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:59.502{D419E45B-752D-60B6-0B00-00000000C401}6326508C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000649015Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:51:59.471{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135158_mpgymmk0.vaq2021-06-03 13:51:59.471 23542300x8000000000000000649014Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:59.315{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF92DF3A6B70C7DC6986B33C047E3713,SHA256=63469EA8C045E6B6AA12803691EBFEE7E8FF5263C459CBA2E23658FE4A146C46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649013Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:59.252{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2A56A952B1ADABEA10B182D8024E5F68,SHA256=56F792541E3D0D7589713688272F9C45C0B31E7FDAA68E82C87827812FF2E065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649012Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:59.252{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A5E14646F204E0D7AB4ECA3B765F376,SHA256=2432FFA60E54FABBEA5AA786E6673AD4B140FCB8ADC59479FFF7E6BC41A68171,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595264Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:56.061{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49755-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000595268Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:00.761{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A83F1B5D6B009A7827E74935E726CD2D,SHA256=2EF79051DA68F9C1E7E2F4176B365F7B37E33A531F9667CD58D9C7C5C468A411,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649064Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:57.037{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local49820-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649063Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:57.037{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local49820-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649062Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.979{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49819-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649061Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.979{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49818-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649060Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.979{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49819-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649059Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.979{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49818-false10.0.1.14win-dc-233.attackrange.local389ldap 23542300x8000000000000000649058Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:00.815{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BD02F39143D42F709753A7F742927172,SHA256=C512B8130083F5D1FF387013D81B68D1065BCE0689A29240612458B9020796A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649057Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49817-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649056Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49816-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649055Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49814-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649054Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49817-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649053Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49816-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649052Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49813-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649051Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49814-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649050Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49815-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649049Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49813-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649048Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49815-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649047Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49812-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649046Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49812-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649045Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49811-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649044Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.975{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49811-false10.0.1.14win-dc-233.attackrange.local389ldap 23542300x8000000000000000649043Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:00.456{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A9DDF13D430A73B2F0B2FD3370A1197,SHA256=8586E2B8D2D86B26992B99251ADA234FC72F73A8679C4464764DA118498813DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649042Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:00.346{D419E45B-7530-60B6-1600-00000000C401}1268888C:\Windows\System32\svchost.exe{D419E45B-DE80-60B8-684E-00000000C401}760C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649041Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:00.346{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-DE80-60B8-684E-00000000C401}760C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649040Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:00.346{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-DE80-60B8-684E-00000000C401}760C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649039Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:00.330{D419E45B-78A0-60B6-AD02-00000000C401}22846244C:\Windows\system32\csrss.exe{D419E45B-DE80-60B8-684E-00000000C401}760C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x8000000000000000649038Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:00.330{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E69109EE16D4812AA1BA3475A0614D5,SHA256=8336C4F38C45B7727D1BA4CA5000565B5A995A2B2650139ACC4B45EFDF9A7EC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649037Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:00.330{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DE80-60B8-684E-00000000C401}760C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649036Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:00.330{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-DE80-60B8-684E-00000000C401}760C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000595267Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:51:57.904{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49756-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595266Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:00.089{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B6D8F4146B9B2BE5A6EEE256E8DA2FA,SHA256=1CDE5DDD599B0E00B2F61081E315C7C8B76CBE29220CED91305A00E85478B572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649035Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:00.221{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649034Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.509{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49810-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649033Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.509{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49810-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649032Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.480{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49809-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649031Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:56.480{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49809-false10.0.1.14win-dc-233.attackrange.local389ldap 23542300x8000000000000000595270Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:01.886{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5DEBFCED12D98C40A6E2C603F003C5F4,SHA256=1AE9B15314034DB941F0C19BD67334A76A50DC2AEA2562B86FFE34B319D11F96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595269Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:01.761{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47BC4B91CDD322F8327E8985CEEE2687,SHA256=15A28ADBEFA4FB03BE5DEFED748DDE6C623EE2F8A53975D978C75FE10C35DA15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649068Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:57.729{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49822-false10.0.1.12-8089- 354300x8000000000000000649067Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:51:57.604{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49821-false10.0.1.12-8000- 23542300x8000000000000000649066Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:01.518{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BCBDB04644FD3EE7BC981C1108351CD,SHA256=925349BD2EE0F0DE505BA8FC0A4DBF6C277B513B022F12D950437546311130E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649065Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:01.455{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C348FFA4973D8456189F6A9193B9343,SHA256=4CE801E12AA786BD2B2B25CCBDA8AA6149FE4F8CCE6F3DF619BD2433E3A6EF8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595271Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:02.776{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67A9AB9280CA8739F2A8E90B652DF5A4,SHA256=87E53DFE7131F49851F037CC3ACB5E4E3B4EDD38E05A37C92EA14B53E5CBB54E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649070Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:02.674{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F469FFE7C59BF227DD663784523EC8F,SHA256=075885EF9614EA45D5F521A3590909E81C5F203EC0CFE6642D27349E01401F06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649069Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:02.659{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69D4ABC55B42FFC7DB1052CCDC211764,SHA256=9F2807F266471F65376F1143AF5A40D2D2A5FD93D5C7B29F7FA524CBDDD6C067,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595272Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:03.776{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=250CB454E25ADB3D2EF85AB166C8D89B,SHA256=144892C263B7C7AC7A0AE48CFE8ADB20AB8004A302ECF6B66D5418CCF03D11D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649072Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:03.831{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B8EAB45DD79BE4593C7C9639FA10A7E,SHA256=71DD7533978D4270CA79F8E1A36F8C0D8EBB08DCDCC6898E52A629E507A6CD05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649071Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:03.831{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E555CB7168F83DC19BE02BFD7FF0BA5B,SHA256=90F8C47A2B600CB2F184794D5CB2BD751F6D5B75A80AED73FFB09B0C67E1AE62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649074Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:04.971{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4670135D7C46279A0E025D6655B3DF0B,SHA256=758C08E5CB7D45528763089349CDCE76E2D64B389FC663502BCC41A058B73892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649073Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:04.971{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=116DA717B4B8CF327917BBAC3E9FA313,SHA256=6053EC2563EA60A52E13216CE42B11A858D8548E87C91E5C71D4D71787FB3F8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595273Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:04.792{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDD3C33F6276E9658E291F65A86A59F6,SHA256=974171117EE27B2FA401F8295F97443088D2DF045798192C66AB88F6AC506517,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649101Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.612{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FA894E80770B408731A251770125D93D,SHA256=0372DBF5AE37DD40B45662BFB77687AA0D331F96E8EC1C3F92A4934B4E18D9F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649100Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.424{D419E45B-DE85-60B8-6A4E-00000000C401}4888ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649099Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.346{D419E45B-7530-60B6-1600-00000000C401}1268888C:\Windows\System32\svchost.exe{D419E45B-DE85-60B8-6A4E-00000000C401}4888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649098Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.346{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-DE85-60B8-6A4E-00000000C401}4888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649097Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.285{D419E45B-752D-60B6-0B00-00000000C401}6326508C:\Windows\system32\lsass.exe{D419E45B-DE85-60B8-6A4E-00000000C401}4888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649096Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.285{D419E45B-752D-60B6-0B00-00000000C401}6326508C:\Windows\system32\lsass.exe{D419E45B-DE85-60B8-6A4E-00000000C401}4888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000649095Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-CreatePipe2021-06-03 13:52:05.252{D419E45B-DE85-60B8-6A4E-00000000C401}4888\PSHost.132672019251046846.4888.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000649094Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.237{D419E45B-DE85-60B8-6A4E-00000000C401}4888ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_5dqybcmf.bsa.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649093Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.221{D419E45B-DE85-60B8-6A4E-00000000C401}4888ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_yca021bn.ddp.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649092Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.190{D419E45B-DE85-60B8-6A4E-00000000C401}4888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_yca021bn.ddp.ps12021-06-03 13:52:05.190 10341000x8000000000000000649091Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.174{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-DE85-60B8-6A4E-00000000C401}4888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649090Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.098{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DE85-60B8-6A4E-00000000C401}4888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649089Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.098{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649088Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.098{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649087Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.098{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649086Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.098{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649085Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.098{D419E45B-78A0-60B6-AD02-00000000C401}22841824C:\Windows\system32\csrss.exe{D419E45B-DE85-60B8-6A4E-00000000C401}4888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649084Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.098{D419E45B-DE85-60B8-694E-00000000C401}8602716C:\Windows\system32\cmd.exe{D419E45B-DE85-60B8-6A4E-00000000C401}4888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649083Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.104{D419E45B-DE85-60B8-6A4E-00000000C401}4888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe import-module c:\temp\SharpHound.ps1C:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D419E45B-DE85-60B8-694E-00000000C401}860C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\SharpHound.ps1 10341000x8000000000000000649082Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.098{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DE85-60B8-694E-00000000C401}860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649081Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.081{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649080Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.081{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649079Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.081{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649078Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.081{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649077Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.081{D419E45B-78A0-60B6-AD02-00000000C401}22846252C:\Windows\system32\csrss.exe{D419E45B-DE85-60B8-694E-00000000C401}860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649076Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.081{D419E45B-A18D-60B6-EF0A-00000000C401}32001160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-DE85-60B8-694E-00000000C401}860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11de81a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1121804c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1127babe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125d95e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1124e67e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125bbc0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b732(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11240385(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1123f8f7(wow64) 154100x8000000000000000649075Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:05.080{D419E45B-DE85-60B8-694E-00000000C401}860C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\SharpHound.ps1C:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000595277Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:05.792{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABA63524F8068B40B171A08640D98572,SHA256=2A19E57554E011AD77C432357F08BD7E4C306868B3AB9D469DA96AE127738409,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595276Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:02.920{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49757-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595275Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:05.089{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46597AF6E5B2E480C3C6C6C485CC37BE,SHA256=7E67E77D6E622812A1C91F3DE9CEC9BD58EB9826E64A7538031EC2E4F8F2367A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595274Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:05.089{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AE7520DFF186B82F560D2E9653066CF,SHA256=443415F838E4B3A06C68581081B645B6A298332633CAEA8FFEA4B2ADFF96F603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649106Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:06.237{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E75C7221CA3E0AD9F185E3F6B7020007,SHA256=8E93C5AB719CC979D2AC167EB79759C728BEB906545A91DAAE7B842C19909AFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649105Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:06.237{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E0A5B99CE0AEBE1B16364B28B11609DC,SHA256=4162CDBBA698FC8033705C626460C4E96AB1D869468C84FB2DACA9A5600AC8D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649104Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:06.237{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD56CBDAECBF2270BF66A283BBDDEA6,SHA256=40D753C98FA17EB0F0AFB4F3866269F325F169829C7770DC96881B2E63595E96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649103Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:01.542{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local49823-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000649102Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:01.542{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local49823-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000595278Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:06.792{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95F004DD245C70B907FE12FB45E33DB8,SHA256=576B295FE1A18A8EE590BE6DE506A82CC1F30FB2D265EC5A6CE360743A0E22BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649139Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.377{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0FDB00161E0B54F82C4965FC5EF24DF9,SHA256=552175DF7B9C63C7A3A9464901F8EE356457485571A569D6C3DBB2643C3F6A2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649138Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649137Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649136Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649135Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649134Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649133Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649132Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649131Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649130Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649129Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649128Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649127Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649126Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649125Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649124Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649123Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649122Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649121Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649120Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649119Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649118Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649117Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649116Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649115Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649114Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649113Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649112Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649111Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649110Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649109Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2B00-00000000C401}3008C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649108Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.284{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2B00-00000000C401}3008C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000649107Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:07.112{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A769943EA77DD115D7E53C407F2D0947,SHA256=D21A6927A245D6227183356E5791C38AED4A3874B28770C1E1089635463279FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595279Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:07.792{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE721BB10CA177436D1DAB4B83CDA28,SHA256=30927380EDF3AA39B376E2801DAB88AC27317E01646635935221CCC8D902528A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595280Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:08.792{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1466E73A310AE6323A9D0CD6B89170CE,SHA256=EE1A6A1CD09B15F390E1DD7ACADD740A7DEE1C5614300B5B962750BBE41CB409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649142Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:08.518{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC75863C7A8D0663895E51444E6389BF,SHA256=9E5370976D803757D4FA428E047A65CCA17655571049F4A3D43144093DA92465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649141Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:08.518{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E8F167E002C55DA2752110B2BDB46AD,SHA256=DF554DF448477822E5B43B1D7B052058AFF5A6CCC384D6DD07A0091451C19FCD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649140Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:03.603{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49824-false10.0.1.12-8000- 23542300x8000000000000000649145Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:09.674{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95218AEF9C1C25A4366549BA402B3355,SHA256=9E1481EF6C45B33B43B68DDEFCE29E0F481B745E8A7CD261132245AD6CC60BD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649144Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:09.659{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E61D6F2A84A14C1BEF5361B2992D4E1B,SHA256=2736266A363A64ECCAA33ADA147D4B068222F6EA057E6B6C031EEA3AD96E1443,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649143Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:09.159{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D52D9332D50FBAB75B1C7410F8FCA4F,SHA256=9C6C31A3C1117E8E7CB3A008E716D3544072B9869715EDA82D319B850F1151A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595281Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:09.792{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECBEE0AA678F3968E876A54533804384,SHA256=48412067DBDB59C766375E0BE405DFE90E97EE434BE2996B5B1DD37885DC74FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595285Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:10.808{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5A47082A928CD904F23EA6A980B327D,SHA256=685AC4AB732372E2BD5C935D27A6F617C88FE07D58A48708D97DF5BA30F158B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649149Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.893{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A1DE7EF866ED205EC67870F4EA8DF68,SHA256=0C99A6BA635F061BACE35245053218D381BB48A4BF3A90FFE7794FF4B1F79F8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649148Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.268{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A2B7BEA772FD00868569A12BAAA343A,SHA256=5141FB9DF661EFE6B3A4547915EC30A4EB3E999D24D4C543BA0FF155AF437C9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649147Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.174{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=559A7C5A2BFDA3B6170CAB13727F0398,SHA256=6BABC02CF39BF5BC563FCC3236D793A1C7D2538D5E9EEB6BF86C0D8369CF856D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649146Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.034{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DF49247A0B35C9AA255D637BD818965,SHA256=2827F0508C41D6C05356A4BAE65B1F1189D75D9CF05530769F81BE95E8AB4DBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595284Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:08.045{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49758-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595283Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:10.214{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADB9AC450E8FC4B175C58933C3B1CEC0,SHA256=621CE79DE2EEAF566AE386743EA07379247F72388811F178456E972CBA6E623F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595282Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:10.214{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46597AF6E5B2E480C3C6C6C485CC37BE,SHA256=7E67E77D6E622812A1C91F3DE9CEC9BD58EB9826E64A7538031EC2E4F8F2367A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595286Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:11.839{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDF575C0B2FC0C49326DAABE5DD34B34,SHA256=17F6A420EA69FC4C4B58D75AFD74622F54CD3CEC2A56598731F97FD99F36577C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649152Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:11.940{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=584C9C1DCBBB5F4A086BD0C4F6C2DE43,SHA256=B2D9BB8E32851A6269B50AE7D5E46C6082BC55C89D7D69233C0CDA9420774AC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649151Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:11.315{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2ECE63E91769AD94D767939CCB2F0EEA,SHA256=44CF8656D4C9911A7FD2730E59A4163C687B02ADF284FEA3F844C1EA4EA619D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649150Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:11.190{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F99B07AFF1A8A5BDC2ABD851203BFDBD,SHA256=5F6E00D39F6EBE330E9D910E7DD9A577FE7AC759E88918471432AA52B20C5603,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649189Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:12.987{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_groups.json2021-06-03 13:52:12.987 10341000x8000000000000000649188Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.721{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649187Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.721{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649186Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.721{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649185Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.721{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649184Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.721{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649183Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.721{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649182Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.705{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649181Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.705{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000649180Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.627{D419E45B-DE8C-60B8-6C4E-00000000C401}4284ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649179Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.534{D419E45B-7530-60B6-1600-00000000C401}1268888C:\Windows\System32\svchost.exe{D419E45B-DE8C-60B8-6C4E-00000000C401}4284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649178Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.534{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-DE8C-60B8-6C4E-00000000C401}4284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649177Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.471{D419E45B-752D-60B6-0B00-00000000C401}6326508C:\Windows\system32\lsass.exe{D419E45B-DE8C-60B8-6C4E-00000000C401}4284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649176Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.471{D419E45B-752D-60B6-0B00-00000000C401}6326508C:\Windows\system32\lsass.exe{D419E45B-DE8C-60B8-6C4E-00000000C401}4284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000649175Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-CreatePipe2021-06-03 13:52:12.440{D419E45B-DE8C-60B8-6C4E-00000000C401}4284\PSHost.132672019321729269.4284.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000649174Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.409{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=236CA8DCC70B9150F4B054B832AAE345,SHA256=8C613B402EE11D0A32B5D9E23E3E326E1EEB8910EACF20E7D5D12AED60A435CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649173Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.409{D419E45B-DE8C-60B8-6C4E-00000000C401}4284ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_3tkycblr.qn1.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649172Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.377{D419E45B-DE8C-60B8-6C4E-00000000C401}4284ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_ixhsvqdq.zsm.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649171Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.299{D419E45B-DE8C-60B8-6C4E-00000000C401}4284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_ixhsvqdq.zsm.ps12021-06-03 13:52:12.299 10341000x8000000000000000649170Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.252{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-DE8C-60B8-6C4E-00000000C401}4284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000649169Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.205{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C856C77A8CE198ACDE5B6CE30667D8F6,SHA256=6F6D3DF5882C1E3C17FA1701DDDA81E2FC9A18F376111261491A2BAD61ECEB12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595287Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:12.870{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97AEE4540935CBBFED1C48B98015E51F,SHA256=11C526572E8D2BAE0E11688DF6C174B962F31537D6D3E9E535596137A1DD669D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649168Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.174{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DE8C-60B8-6C4E-00000000C401}4284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649167Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649166Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649165Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649164Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649163Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-78A0-60B6-AD02-00000000C401}22846252C:\Windows\system32\csrss.exe{D419E45B-DE8C-60B8-6C4E-00000000C401}4284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649162Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-DE8C-60B8-6B4E-00000000C401}54682212C:\Windows\system32\cmd.exe{D419E45B-DE8C-60B8-6C4E-00000000C401}4284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649161Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.172{D419E45B-DE8C-60B8-6C4E-00000000C401}4284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe import-module c:\temp\SharpHound.ps1C:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D419E45B-DE8C-60B8-6B4E-00000000C401}5468C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\SharpHound.ps1 10341000x8000000000000000649160Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DE8C-60B8-6B4E-00000000C401}5468C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649159Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649158Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649157Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649156Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649155Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-78A0-60B6-AD02-00000000C401}22846244C:\Windows\system32\csrss.exe{D419E45B-DE8C-60B8-6B4E-00000000C401}5468C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649154Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.159{D419E45B-A18D-60B6-EF0A-00000000C401}32001160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-DE8C-60B8-6B4E-00000000C401}5468C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11de81a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1121804c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1127babe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125d95e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1124e67e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125bbc0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b732(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11240385(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1123f8f7(wow64) 154100x8000000000000000649153Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:12.153{D419E45B-DE8C-60B8-6B4E-00000000C401}5468C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\SharpHound.ps1C:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 354300x8000000000000000649222Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.260{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49826-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649221Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.260{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49826-false10.0.1.14win-dc-233.attackrange.local389ldap 10341000x8000000000000000649220Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.752{D419E45B-7530-60B6-1600-00000000C401}1268888C:\Windows\System32\svchost.exe{D419E45B-DE8D-60B8-6D4E-00000000C401}1944C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649219Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.752{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-DE8D-60B8-6D4E-00000000C401}1944C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649218Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.752{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-DE8D-60B8-6D4E-00000000C401}1944C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649217Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.752{D419E45B-78A0-60B6-AD02-00000000C401}22846244C:\Windows\system32\csrss.exe{D419E45B-DE8D-60B8-6D4E-00000000C401}1944C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649216Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.752{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-DE8D-60B8-6D4E-00000000C401}1944C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649215Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.752{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-DE8D-60B8-6D4E-00000000C401}1944C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000649214Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:09.619{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49825-false10.0.1.12-8000- 23542300x8000000000000000649213Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.237{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D13C24BE5A5CE22B8D20AA5C7BD9D69,SHA256=41492C333825950178D213AC48FD251F5A7C385463341E8677B10A1B27B3C740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649212Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.237{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=76E8D671C2E914F03364058D9085E0F6,SHA256=C2CFD5229B3236F8E6EF0C0EE9DEB6E6B5BB57183C788835353DAF220629448C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649211Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:13.143{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\ZDQxOWU0NWItZWU4My00NDAxLTg1YzktNzNmMzNmMTc0MTRi.bin2021-06-01 18:15:53.751 23542300x8000000000000000649210Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.143{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\ZDQxOWU0NWItZWU4My00NDAxLTg1YzktNzNmMzNmMTc0MTRi.binMD5=0D30DFB54488D59E2B5B93E04E43134C,SHA256=C0A9ADC14C4C1D34A5502CA9D21C4DE4CF6366C1BD92D0B295E66AECEB068969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649209Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.143{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_computers.jsonMD5=BC6D79EF4F469420EE4F76EEE7183FDA,SHA256=539A89CCB4A769A572593D28F7E62EF24C3A82AE53EC4440034D41D9DFE17690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649208Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.127{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_users.jsonMD5=8F412C3CDDB823A176BAF09F25E803A1,SHA256=BA67CD5BF43E1155F10328612FC19FE79FE351922AAB0B70604477DF78E1A89C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649207Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.127{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_domains.jsonMD5=7A427216FBAAD1AB6641EA318B845AA1,SHA256=760C0B1D64FCC7B229DBDF88760CE9C5946D3AECA6A755A0C06F9E3ED22985CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649206Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.127{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_ous.jsonMD5=1B470A6B21DC8CF7E99B5A250F76A852,SHA256=DF466F78B20C0737EB9A9F42CD09D7857F9BCCAC9B02ACE555E31A4D2B3436DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649205Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.127{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_gpos.jsonMD5=DCB570C80F70EAC0F6A8803BF8F48F7F,SHA256=C57F8C8470A8B1832A69F537DC41F66B22B6EB03D2CFF0E8AD53EEE1E4BA0F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649204Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.127{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_groups.jsonMD5=454D4C3A03B3CEE9ED18B2363743C7D7,SHA256=78B9EE14E56513A90D7A86F8193A98C79C9D86B7ED8CAE35FD5801DD6D80ABDA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649203Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:13.127{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_BloodHound.zip2021-06-03 13:52:13.127 10341000x8000000000000000649202Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.096{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000649201Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.096{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000649200Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.096{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 11241100x8000000000000000649199Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:13.080{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_computers.json2021-06-03 13:52:13.080 10341000x8000000000000000649198Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.049{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649197Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.049{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000649196Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:13.049{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_users.json2021-06-03 13:52:13.049 10341000x8000000000000000649195Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.049{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649194Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.049{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000649193Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:13.034{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_domains.json2021-06-03 13:52:13.034 11241100x8000000000000000649192Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:13.034{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_ous.json2021-06-03 13:52:13.034 11241100x8000000000000000649191Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:13.018{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135212_gpos.json2021-06-03 13:52:13.018 10341000x8000000000000000649190Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:13.002{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000595289Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:13.948{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADB9AC450E8FC4B175C58933C3B1CEC0,SHA256=621CE79DE2EEAF566AE386743EA07379247F72388811F178456E972CBA6E623F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595288Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:13.902{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D52271E6CB345E4F87478CC482FE40,SHA256=1D9DF9E4E6E0E5CFCAA7FF686BE30F13A0DE0872D3CC478E3DFC7B750C6326E9,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000649253Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:11.182{D419E45B-A18D-60B6-EF0A-00000000C401}3200WIN-HOST-236.ATTACKRANGE.LOCAL0::ffff:10.0.1.15;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 354300x8000000000000000649252Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.622{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49843-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649251Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.621{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49842-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649250Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.620{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49841-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649249Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.588{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49840-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649248Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.588{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49840-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649247Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.585{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49839-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649246Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.585{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49839-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649245Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.534{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49838-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649244Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.486{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49837-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649243Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.480{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49836-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649242Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.480{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49836-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649241Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.457{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49835-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649240Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.457{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49835-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649239Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.456{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49834-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649238Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.456{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratorudptruefalse127.0.0.1-52604-false127.0.0.1-52604- 354300x8000000000000000649237Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.456{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49833-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649236Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.456{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49834-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649235Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.456{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49833-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649234Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.453{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49832-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649233Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.453{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49831-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649232Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.453{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49830-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649231Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.453{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49832-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649230Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.453{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49831-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649229Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.453{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49829-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649228Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.453{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49830-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649227Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.453{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49829-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649226Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.453{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49828-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649225Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.453{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49828-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649224Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.452{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49827-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649223Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:10.450{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49827-false10.0.1.14win-dc-233.attackrange.local389ldap 23542300x8000000000000000595291Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:14.902{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD5B4109AEFDD3763D5980A3A5747AC8,SHA256=0AB174FE46E8C63D0232929281D7DC5FA52148EA5A3890FA41F454239A1E554E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595290Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:11.787{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49837-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 10341000x8000000000000000649266Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:15.487{D419E45B-DE8F-60B8-6E4E-00000000C401}67443932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000649265Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:15.330{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C887F975D767C88FA57D776442E4042D,SHA256=A8B657CF48A3D766F687244C6AF7788A3C2BB8F7EFD6D6478DFDD6F687D141B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649264Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:15.284{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD70757297D387A65138FF61A63DD5EA,SHA256=63387A1B00EAE247855B2ABF2770C04974FA5E132557BA496403D8477BE3206D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649263Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:15.268{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=239AAD3A575F99FF407384902E499514,SHA256=0FC579261DFEEE8300B1227197B23F8555731F14AF1B171734102061EAA2299B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649262Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:15.268{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=626C9476A97E2BD592F193F6A3EDEA9F,SHA256=6AA260A45B87C6A5758B1FA736B8D033D459F94921513DD3FAAB4A816C57C0DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649261Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:15.268{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DE8F-60B8-6E4E-00000000C401}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649260Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:15.252{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-DE8F-60B8-6E4E-00000000C401}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649259Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:15.252{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649258Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:15.252{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649257Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:15.252{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649256Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:15.252{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649255Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:15.252{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DE8F-60B8-6E4E-00000000C401}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649254Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:15.254{D419E45B-DE8F-60B8-6E4E-00000000C401}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595298Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:15.933{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE5C1DFF6CF7997FCB7D6BD8ACD0AE2A,SHA256=F613A6A880AEDAC60A5316C369FCA050FF6706654C8057CE0430CF3972AED0FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595297Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:13.061{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49760-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000595296Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:11.923{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49843-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595295Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:11.922{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49842-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595294Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:11.921{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49841-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595293Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:11.835{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49838-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 23542300x8000000000000000595292Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:15.261{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8922812F4BD280C5E060F72771C0BE17,SHA256=0299FA709ABAA05B5BE2974054332E464D1B4EEBB934B6BF36AA6D33CB609D51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649287Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.934{D419E45B-DE90-60B8-704E-00000000C401}67285212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649286Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.778{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DE90-60B8-704E-00000000C401}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649285Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.762{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649284Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.762{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649283Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.762{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649282Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.762{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649281Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.762{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DE90-60B8-704E-00000000C401}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649280Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.762{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DE90-60B8-704E-00000000C401}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649279Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.763{D419E45B-DE90-60B8-704E-00000000C401}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000649278Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.403{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8294F3163CE90D56F842B47B41458DA5,SHA256=9C065433BF6AA4F4F30C00C1DF2127C1EDC223EF30620E141B41882CA1AB709F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649277Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.284{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDEEF7566AA0C824A8105C2F333CE774,SHA256=F9A15DC92873473E3F743BEA2D7738526FB89A8B687EEBA29DCE3415103C8FA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649276Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.127{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=919FAC31DA1035C57173FF036BB245E9,SHA256=62C44A5AEDDDE98591F4BFE6D6672845628148CF31F40EF693DFB171DC84B844,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649275Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.112{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BECE8AB4AD7811CE14B4D61D96B20D0,SHA256=7DBDF69DB0660D7CCF5171790F65F9CD89B5AE41374E6BF92DE8E7DB4B5D651E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649274Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.112{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DE90-60B8-6F4E-00000000C401}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649273Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.096{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649272Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.096{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649271Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.096{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649270Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.096{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649269Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.096{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-DE90-60B8-6F4E-00000000C401}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649268Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.096{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DE90-60B8-6F4E-00000000C401}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649267Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:16.098{D419E45B-DE90-60B8-6F4E-00000000C401}6848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595299Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:16.943{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53B293469C112B64D70F700341B025C1,SHA256=BD1C5BBE2C52D4740121506585B2F45694085A317E164FB31EADDC7C6E6D4D07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649298Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:17.606{D419E45B-DE91-60B8-714E-00000000C401}69606832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000649297Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:17.559{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A81C5F70D5A8195824BAC8371E78FDB,SHA256=6D9745B54AB0B64EB43730A19E0ABD5A7C8944B396A0D3629363D014EC94C9CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649296Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:17.450{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DE91-60B8-714E-00000000C401}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649295Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:17.450{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649294Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:17.450{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649293Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:17.450{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DE91-60B8-714E-00000000C401}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649292Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:17.450{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649291Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:17.450{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649290Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:17.434{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DE91-60B8-714E-00000000C401}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649289Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:17.435{D419E45B-DE91-60B8-714E-00000000C401}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000649288Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:17.309{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5C284D774B0951ABA93F53391F4D3F1,SHA256=3527B39F5C05B015A158FB6DA497EC577426E491385850F8FB35CE7F0D80ACC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595300Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:17.943{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DAAA3917C2655D7FCABAD3BEF94838E,SHA256=89FE96E5CF5153F5866BD7BD963AC40153A1FF8945D00C266F8C98093F350252,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649318Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.825{D419E45B-DE92-60B8-734E-00000000C401}55883640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000649317Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.747{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7681493A6DE3930802F681D6E012912,SHA256=2FD997B89EE195F8DA3515008C336671BDCE8012D4F372E47ECAFDE07F25CD5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649316Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.701{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EFC7340B4ACF37AD0663803E986628D,SHA256=875C25DBD4453EA73097A7557EC65BC00B02FB1641E2DBC302E44A802822D537,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649315Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.701{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=368A163A7C0915122D07786025CA4289,SHA256=A31F5E6A796FE9C523B67A63101C439EC9DA389146900C9958BBC7A113FE2CE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649314Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.622{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DE92-60B8-734E-00000000C401}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649313Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.622{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649312Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.622{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649311Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.622{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649310Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.622{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649309Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.622{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DE92-60B8-734E-00000000C401}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649308Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.622{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DE92-60B8-734E-00000000C401}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649307Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.623{D419E45B-DE92-60B8-734E-00000000C401}5588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000649306Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.122{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DE92-60B8-724E-00000000C401}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649305Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.122{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649304Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.122{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649303Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.122{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649302Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.122{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649301Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.122{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DE92-60B8-724E-00000000C401}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649300Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.122{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DE92-60B8-724E-00000000C401}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649299Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:18.122{D419E45B-DE92-60B8-724E-00000000C401}5816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595301Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:18.958{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BBEB42BE914FB371A0DBA3CD3FCEFE1,SHA256=5AE2EA0C2EBDA35357D6B71415E15D5FBE38C6F2679D97EA2F3036F5E803463C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649330Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:19.731{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4A01E4D3D7595D6829F6D25D128E16F,SHA256=219360682D21D87D2770A7971585D3E32904692DE5A07E41D5797F18670355E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649329Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:19.731{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D74A38D3C6B2EFCE4A07743525BDE3AE,SHA256=6FF8B3813B1ECA9F135EE4680A151F748BBFEF9C80137454A3165FC5F8010B46,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649328Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:15.597{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49844-false10.0.1.12-8000- 10341000x8000000000000000649327Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:19.294{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DE93-60B8-744E-00000000C401}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649326Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:19.294{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649325Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:19.294{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649324Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:19.294{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649323Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:19.294{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649322Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:19.294{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DE93-60B8-744E-00000000C401}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649321Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:19.294{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DE93-60B8-744E-00000000C401}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649320Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:19.294{D419E45B-DE93-60B8-744E-00000000C401}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000649319Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:19.106{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FA2BBFF1FE8CD12C585C30D807E0094,SHA256=A55DAF6A681C8DD53D4CB261389D3572110C9B0D1865B5D8B853580E20FE05E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595302Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:19.990{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B285A10E063DFA3C46131E226D9450D,SHA256=ED27412A2B7E8F77CCF023D6762B8660C77CA6C5A3D7BFFF67309795472A4179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649333Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:20.747{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C774C31E27A5ED9ECDC2010DC72901A0,SHA256=D619061A0D67F8DA709E6A69A9A5E7F5ADEFE8EA2A51402FC1FA8395A42FD89B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649332Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:20.559{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B57043731D24DC874CFC426A5AFD8563,SHA256=03B6BE7C344A051F840147A9F2807842B36400AE5A33AED2312E7E3B96D9D0EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649331Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:20.356{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC7B2971D4BF5E3AC63DB111E50EF756,SHA256=02D21D5EC1D8B456D79542BE85127E799184CCB19A59BD5725257E45D01FB7FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595304Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:20.271{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02E19C1E97FD6BA4BF335F005863A646,SHA256=6A019E72A22FD9BE283977E19CC94B8429D27BA7BF8AEA332DBD3E60324BBF12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595303Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:20.271{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B56F2F3453A84AF9001F227FC003FD79,SHA256=91C9AA21AC11AC02EB800FB47D816923B68DF928E35E963C6D17DBDDA1ED0125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649336Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:21.762{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5620BC6E4DD143916F3ADD52162D6DD8,SHA256=20BEFEDA9B87071FB04BB1284717218FF63A2CBF65E2D0B427C086C160CE3CEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649335Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:21.762{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA84A1A520D4B86DF86B9C0348B6D349,SHA256=306488D8D47E3CBF97BDDE44603553F2D9DD9C5E780BA5076EE2BDA08D0952FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649334Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:21.137{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=933AB34EC71D6A2E418B220B56024C42,SHA256=9D67C8C4523D6EF27B32A10840EBDACB54C384D43064ECFB2BFFC57EAA5866A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595306Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:18.086{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49761-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595305Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:21.005{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6FBE1EFD124DCFB535F39929047436A,SHA256=2743F7EB89FC60C1B4625713D2A433BF6B47DDAA661308916F870CB6BA97A34E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649339Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:22.762{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6019733D37ABB8EDA8B3AA959A9088CA,SHA256=8A799C7E9784342B6E81FC704F73D068D0E1D0CC88157023448E89C67B8C72A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649338Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:22.606{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6947E9932451C866E1EC18AD8E0CBFF,SHA256=C8AC0732472E6B72040B73A71AB65B39E2BC0DEAA53684A3E57A6FEE499CA045,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649337Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:22.387{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47E8375CE47FF3BA322386651BEA390D,SHA256=6C99E38CC5F7637ADF098096FF7A076560B800D14C6760F66324E810C68F95EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595307Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:22.005{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F26A7E37E10CE1EE35F1403A2F4AB28,SHA256=8BDFB2A9D523B399C7802486A4E008AC7BBF4884775EEDA705A009CA0960492C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649342Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:23.809{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73BD92ABB8CDFFCB58515100B0C67DE7,SHA256=066E428566064A3A480D7CA059E5D702ED3839C6E8684F58618AAF7F123A8AB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649341Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:23.809{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94FB445F318E4BDB7D6E7F766690AFD7,SHA256=4E9715EE06A85E74D0F5B565F4A4DE2005138C8995B7B4D8AE4F1089D93759F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649340Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:23.184{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB148552BAE343A938C82DAA6F8E10CE,SHA256=CEB87B31D7EF823FE04DC8415DD19FF7C84DB854ED95ECC5F17AB0D87B53C898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595308Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:23.037{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D60EDAAE17C584F29D9EE1297C918626,SHA256=612482AA8364827F13B0EC0307543F815BB9A3C24998AB74A13479515F8434E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649346Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:24.950{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD81F07D2A9C94F72B0A7181EFC7A5B4,SHA256=54F8B5D3EFF4B6346C91C505060FE01AE607D734E3096FE74B92273F679331D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649345Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:24.794{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=818BA1CBE56A4D397BFAAB167E1E3A39,SHA256=1A4BDACC1B23229A1798DEA863A14474955D966E94D930358603BFBA6473E992,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649344Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:20.769{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49845-false10.0.1.12-8000- 23542300x8000000000000000649343Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:24.434{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FDCDEDDAABB4316417C7A515A56BEBC,SHA256=D21BA811D046FDEE4FCB5DE3B3257519EE1D6AB531775FE4A19569D58115CB6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595310Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:24.833{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02E19C1E97FD6BA4BF335F005863A646,SHA256=6A019E72A22FD9BE283977E19CC94B8429D27BA7BF8AEA332DBD3E60324BBF12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595309Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:24.037{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F01523A3211DC9F9A9532EAA2D3B0980,SHA256=E0B1FE39DA0E4ABD1F0DF78998094F88129F78508455105A4F518B56B858A397,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649348Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:25.731{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF73889ED8231B9046CF3D1E62A2CE2E,SHA256=E69595554884E6A41C63C9E835CB30391F8E026147B10726950E98CE1A8698C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649347Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:25.372{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39168778A99A39BB1D55FB1CFB32CECE,SHA256=77812A8ABCDF4965FE767B660D77141B27110420F2CF98A62B1B81B3C8374F74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595311Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:25.068{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4424DC059A56772D8C5F511F6A6EA92C,SHA256=95B5912EDF7AAB082C5C0E35C96FB414312AA65E9E1A824E25C2546FF7BDC7A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649351Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:26.715{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AD190D3CA5B09FB7880C8E9A51FA25A,SHA256=A7D180AA1B600EF1AC00BED59516042D6FC7612B92FD0F44C40BB4B3CD22B66D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649350Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:26.356{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10CE5DC2D8C611253CCA7A37FDC73775,SHA256=2DC9849F53A09EB887A2D164951D4345ACFC2C0BABC9447EBB154B75B7C764E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649349Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:26.184{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E1778D19F044BB8F76ABD4645E88DB9,SHA256=80A04A88CD3C5CCEDF8BB676D5F1DF474FA3A41A6025C4E3711A6D7EA794AAB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595314Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:23.899{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49762-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595313Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:26.083{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=976469141C8BB40987B5D65E29CB2F9C,SHA256=968E25A1245113BB5FE9F75959DB34DEE2F31816FF47E1E70F724EF77FCD7E22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595312Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:26.083{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B589154FCB11B2C91C97C1DC5A3AEB5,SHA256=BBE9943CA1C0F86637BFE9846EA78718FDC87C2425712D042ECB8499ABBC470A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595315Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:27.099{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20EEB84AE1B858345DA806985C6BD948,SHA256=0D953D432093EBB48C6CEDACBA2E6DDA7F0F20B5A407C9A0FA65230C62715517,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649354Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:27.965{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F37EF75F8586F3B3677757A18879BCF,SHA256=B2384A39873E98D332839DECB1DC9725FEB3636441375878E7F0280E155660C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649353Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:27.340{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82BDA293B483A69B5887C1DF2D938A9B,SHA256=EAA534525399B222A98E13CD539F1372A930FB3A49069178293FE675838E0376,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649352Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:27.231{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B72C51770B065ED2A2EF79E911A42604,SHA256=FD0336F73B116AAFE8F4D600A922C86EAD3DC20ADD5424ED775F7F31218DC890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649357Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:28.981{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EA34DACEDA738EE45B018A2F3607B10,SHA256=19B23468D0FC9ED6DED1BD26F00DFA802F7BF1EAEBF032F6950EFFB91E996904,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649356Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:28.340{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A20DB9B9F1D517F762B749F9FB8F440,SHA256=B97055277CFE942907BA85AE8FD571E1E5FA1CD5E06DE40CF6046735FB0448E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649355Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:28.262{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3276923D9041F4A6EA1A0744387D94B,SHA256=0D3A4A212E35BB34EB4C25589460E56133EBE6EA9A299A8962CCCA948E163FCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595317Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:28.755{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF9640ab1.TMPMD5=50C3F57E9B17DAD0DB73AD4F64FDB6ED,SHA256=86D53DA9ECE564538A00B5F8E963CD8B3B67CB52F8A489C6BC9DE193528D6A7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595316Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:28.099{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F9FF4F3FA4D89093921434DAED28F7,SHA256=759E969D543CDF789E48EBBF0B6C8B1AD948EB9B592DCAFA90004E700239F347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649359Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:29.387{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90339B72A0C10DC62F10E3B099EC6642,SHA256=57353664EB257EBE93EB35F9AF236110C63E3032D97F41CF4C2E6494D0CCEF3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649358Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:29.278{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2183E999F30C2C83ACCEE59CA9AFC05,SHA256=C131A09A0B1FB8D6D61CAE9AD1F77D64747C5B87AC310FBF3990C016E3136171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595318Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:29.099{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B21626645948170F587D42B3363592A,SHA256=D7D02DF3F262D283915EC37C459E93FF24E24547AA0D0D30E62C3CB37F20643B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595321Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:30.287{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1C0ABA980AD3154A9CA1153FF8929F80,SHA256=42D2B3847F90BD4E8A0E1EB5B374BC0DDD73DFA6DB1F4C1772BD1C0D86DD4607,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595320Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:30.287{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F36AF52899F9DF8FF2ADA69C3B5696CC,SHA256=451C7C9EE7E9420D0E721F34C5E57C2DFF463D5E85A4CA13ED4E8E509D26BE5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595319Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:30.162{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDE74505FE92C8BD3124DAB7A1EC3E9D,SHA256=1AA851F61481E1199F128CF0BB94227DD2BD6A5CB5A9E9E5336792699D91817D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649362Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:26.707{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49846-false10.0.1.12-8000- 23542300x8000000000000000649361Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:30.294{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CA95187E3EF4A9BFA94F872BDD599AD,SHA256=88DF001889889016671E1FBBE2D670E10A1903299FEEF751D413A70E18B4E93A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649360Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:30.012{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6719E604764CF693F75010B9918FD300,SHA256=C731D4D26ABFF610420FE3D860645EAB8C460B6F48F1A6508F2861E94388460D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595325Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:28.961{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49763-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595324Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:31.224{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=139B3DEA232E4F92B49360CDCD988AD5,SHA256=68564F683746A3194CAF181AB0EDA326A12217DD73B1786F23B96B8195DBCB20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649365Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:31.512{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E7F6540360653F85A9A4605E270C406E,SHA256=26D2E1578B2F437A1A76BD1AC0FC2E050BD44F3A6B8CBD6E36A823A85234B953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649364Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:31.309{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD802DC5551B062F6948E75309AEAF16,SHA256=20468D1E71DA9F4B22874C97FF93F04DE247E01CD4E77E30E83E39C4185B68D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595323Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:31.130{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7878D371A82B3BA4618A1A24DE6043FC,SHA256=016D68291BE3FDD657DA0834E6AC993D04789073CE16578F3C9F14BECA52D031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595322Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:31.130{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11A11127326AAF591CE2AEFB56973F48,SHA256=88D8F50A9CB8B3BE5F3D643E05E851D58F8514958DA875C3A8981F6FD456CDC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649363Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:30.997{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=058A7A622B440A2ED0F0B520B26BB877,SHA256=DC84C0E0DC6F8F8FBEFC2628E43A3AFAF3B8BC5FEB29BAC9724F41C456709A5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595326Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:32.225{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78F3258B59C863E79FBB765004D2202C,SHA256=9AD94E3A75800476471963063A0459A4B81D7B87942C36A3A68F027251FEE787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649367Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:32.497{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A84BC23626AFEB5B611116B4CA33AFCD,SHA256=9522D26BA612F2011A4633C6E9B0BDC5AD45EA10AB3297223EC919F164AB8D26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649366Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:32.497{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D3F9CC20028D6B582621046784E18DA,SHA256=6C6B345E0728C8D355F2E98DC32A40E494A6945EA2F1B5CB161C4AB39D87E35F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649369Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:33.623{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05D004CF0E7B1D4FDE0FA783E5FEDA7E,SHA256=3977363206EDF94EE95AAE50762178D7F807BD6B1E0036672022508E3B09D15B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649368Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:33.497{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C89E941F473F1B24002A3AB7702916C2,SHA256=4591105C6A1848E74035B5F9CED81A6011F363CAFE5CFA140999A56909F4BEE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595327Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:33.259{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=028D0D84D52F2328F8B2B4766E5E40C0,SHA256=03F16A01AF94A328A80364675CA4E179FA967F280532E9BC6E96D58E095D5DD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649371Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:34.855{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F51A51A1C2386577FA33137480F6F43,SHA256=394BF8130361CBE6D407E14A9DB634F2CB044E769722FDB5615E9674BB8A8BC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649370Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:34.498{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D188CA6FCFE180EA534B22419E563247,SHA256=C4C1CE7C61D5AB2E7C0D7E880472EB01EACDDA83606AAE1A66212A2D4CB3F84C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595328Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:34.259{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8509F0698E77882F15DE25DCE46EAA4F,SHA256=9FCAEAB9D268AE0EBB60C3F1F3965BA9F3BDFE71BE8036FFC65AE9E7F5703C93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649372Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:35.511{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8B312A3F561F4DEDDF4D8A05477517C,SHA256=E30D3E2A5D341119C1012D2B9B221FD93795C66456D680E3A1E010C792434862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595329Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:35.274{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10EC95384BB72B6659AA5CAFB2126B53,SHA256=064AD952C6F285C4299B201C43EBE0B2710711BFE22688E7726F9BBABC2AF4E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649374Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:36.515{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=213A4A2D8DBF7ACE2F1A7398E18EFFAA,SHA256=8C624C8501C808B4A5A987CDEC3D92A068C594AB7E4803187297DFBA12F736B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595330Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:36.306{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6ED6C10B685C4F1B4BC0769967D359C,SHA256=C0C81CB8EF116CFE420A25790B8E793B3BF214D5F70E9F99E0BC414CE04DEC23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649373Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:36.124{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C41BD00DEDBD56360267AE7C4710DE47,SHA256=49C5871A037808C2F66EDE3A89A473F77F7A6C4B1F812782923DC771094329F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649377Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:37.546{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B114E56DAE36D795725A2F6979B02E5,SHA256=5D7F3FFAD8E2C8E5F0FB191EA2005F538A088A1991E4D50091F87EA3708ECE09,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595334Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:34.871{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49764-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595333Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:37.320{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=425CF55B068483716837D5B5B680E115,SHA256=03CD8E806F422BD079A792733800C1A4F944FBED80BBBCCA1F67DD2E2C48C351,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649376Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:37.374{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3561BE378C54E741B3F04982497D1BF9,SHA256=DA99EF8B4FC3FAB515BFFC5E03B4CB33391C02C9E7B4A8B55A504A58F9CAE3D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649375Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:32.721{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49847-false10.0.1.12-8000- 23542300x8000000000000000595332Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:37.054{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C1345B0042D189E79535F607B43BCD5,SHA256=ED12F3F85654635DBFA9DC87E337287118E363F10C2087D02F65EABBDA000122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595331Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:37.054{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7878D371A82B3BA4618A1A24DE6043FC,SHA256=016D68291BE3FDD657DA0834E6AC993D04789073CE16578F3C9F14BECA52D031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649379Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:38.562{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F199E3796F33B80EBFD01390D8157D65,SHA256=A9BF3E4A2A147EAB5B84E3F13E0EB224B475888638B6B97F34642C6CBDE90791,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595335Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:38.336{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAC41D64BCDAD5A45DAAE8AE72BA453F,SHA256=5EB92DAD8B374B108CCE45DACB62625139A3CA078461A1E6B5F516ED382FB98E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649378Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:38.421{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43ACBEE8C033A51CBF343799AEDE8B1E,SHA256=34B805681BBB94C3F9596D88F05B552438C9AA53EDFC9AB2FDF6C6578554851F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649381Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:39.765{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C2BF328BFDE0B823C89F2092C31FABD,SHA256=13EF93141CD25566C0CAEA6931AFEA6509BCE48539FB32B5E5D239013DEFF383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649380Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:39.577{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3ED6A508DCD75C865EE3424088D40AE,SHA256=CDDC6DBD4DCBFA3C95F94CA4627A8B4C6691D72A3A9A706511DB458451927BA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595336Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:39.351{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=052E9EDFE6BA747C757403E07DCD71D6,SHA256=7065E89219093D0E4EED5A60126BEDF86544D2BCB31770596315CAF3D86C93DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595337Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:40.351{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=740C3B4487B5C5687E6FC6512BAE1023,SHA256=7725A8000A9A3AC7D7CFC9B4738D61872A4795E02962676034B0CEE5524CA96C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649382Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:40.609{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DD35BDBD6076370295ABBF224CF9E1A,SHA256=3F5B07D865E2C4E78E6C741943868CAE99B83121BA74D6CD46E4BB6E8C90967E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649384Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:41.624{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4AF0D1C119D4293A72666B0739A8B71,SHA256=70D9C560ED739E26F00AD7BFFBBD7661FC8161730DD71DA7E46817F94D19694C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595338Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:41.398{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4451154D1E9CC883F0D55D2E45DE447,SHA256=211EAE375FEF3396F2DA6EE800B643BBDA3E34739E70B49F87934B43BC72BA01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649383Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:41.046{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64CE01293EAFF6574A096189345FB43A,SHA256=37E99F18B6BD990DBFCE8F0A9B29E2D5FBC17C7557BDAA6E5400AD04531587DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649387Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:42.718{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E8CA467C666D340B37D096EC43C048E,SHA256=37CF3F569086553CDE577A7DF922CB71123AC8E866ED1C187B73C9D861C7BB64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595341Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:42.429{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C21266E9295C0B94E68D76FC78BF8AA,SHA256=7CE3A73CA1172D056A9A2D8B1B84B5122E995C933FBC3F3C180DB536609B1042,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649386Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:37.756{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49848-false10.0.1.12-8000- 23542300x8000000000000000649385Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:42.093{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD66CDBA0529D4EB03BAF3F601F724A7,SHA256=9A256320BD5FC0DB77C188E6959AB5C5147F3151CAE376B7010EAB258B2F5392,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595340Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:42.086{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FF15EDDCD1FCA9A47307D0EA6D72285,SHA256=47FE2EDB5D7A156626E7A803EFEA114A7A9CC78A424BA092344E620E9EABE053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595339Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:42.086{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C1345B0042D189E79535F607B43BCD5,SHA256=ED12F3F85654635DBFA9DC87E337287118E363F10C2087D02F65EABBDA000122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649389Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:43.734{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02F933158AB1096BCE46E25122C35799,SHA256=EBCDA036F2E0C2CBDA3CA2D9A49909789EC20E231AD520C7644194BB60943095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595343Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:43.445{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABB00851152D3F511C8739ECB2FBE6B7,SHA256=46E76CBAF4EA5AF50416DB94FEA08E87612FC6CCAC2BB5E3F5211A43E9211532,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649388Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:43.546{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16126837A0FA4694CAC04DEF38BD1D24,SHA256=08605A653AEA5823E7E8FA9C7AE78C769F31D7C7B9166EBAEE4CBADE7648F858,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595342Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:39.901{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49766-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000649391Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:44.812{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87CD9BF775442FA2D2FFCB0EC8A21DA0,SHA256=67B0900CE2127EA118AA12B82481CC542A3F89623C1E8269E6529B014B3C327B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595344Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:44.492{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0295259E03F2C38E636BCEBA53E69D36,SHA256=A3A2BA31FDC40529CA5092EE1C811BF3566CA6707570DA09D92F4F23CC336C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649390Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:44.702{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2916CBBBD899367B6E8D42591DC83FEA,SHA256=2D7228ECFB5E4E9B5DB37178F6EFDA7E25B5A231D6577DDBF42FDB0833E2AAE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649393Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:45.937{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A325AB4146B717D69C0D7175D0B4035D,SHA256=A85C51EC729ED8DD24A363A12482A813FB6EE912BFE7AD2AB6DFC60FC4F0E465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649392Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:45.827{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29EB8BE238F1619B101E0F6C3E9BB665,SHA256=1AA0B69BEF9F47A79FCF52EBAFF4BCA6330D44CF1718BBE530A62514131CA21D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595345Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:45.523{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D728513ECCE1DA5D08CD806EFD6D7B06,SHA256=DB50992529482FABA1E6A2DB2706AEFEA3ED9C34E4E60452536FFB35D3B1DCD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649394Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:46.843{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00159237E4BAA612D27753BCFDA94EA9,SHA256=D548C8000F7E2F6DB4A2F1313016926B41ACB7282BBCF5105D6745C2D3475BDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595346Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:46.554{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03215BA1466DFB526599F7FE35EF2586,SHA256=F27C5745C3CD8C32C22C960ECFCF08EA03A95C45CFB90319B8E48A93DF652D7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649396Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:47.859{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E23F812562B87C0170D22EF64528621,SHA256=9747DFE62944F3E2A8865707A09371EFE7CF032A54C7EAD637E352D2E4BE6941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595349Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:47.555{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3206615C5A615AD0A439CC0D4CC634CD,SHA256=4B71661323898F762E1A9832CEC0E359DCD7B779E3DBC1E0DBF4009F6251FFD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649395Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:47.109{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BC7165E5A5AE7CCF0E35C283359508F,SHA256=8F3AD9C4BFB732934A399E4ADD3AC6BE64ECED258229ADB0F94EF264B191E1E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595348Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:47.211{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A50C08D3A28E6AC8DE6EA54ED142CD60,SHA256=60AF3823F034D526D6130DC829F21DF3C2284AC92AEA9CF02865A47950162DD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595347Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:47.211{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FF15EDDCD1FCA9A47307D0EA6D72285,SHA256=47FE2EDB5D7A156626E7A803EFEA114A7A9CC78A424BA092344E620E9EABE053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649399Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:48.874{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83CF3D7F59AB4662934FC54BB64C6266,SHA256=3F1E7D1AB6874C5DEEB56A644D784522A712E86A57FDC1A83413E1F5AC55D165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595351Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:48.633{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=056067B97AADA87C285AAC39E560E5A9,SHA256=B9A68DD557F0933B275103CC669C1810407F3A7E9DEB2ACB8A782F33E9C8A2F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649398Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:43.615{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49849-false10.0.1.12-8000- 23542300x8000000000000000649397Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:48.202{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33AD9E4834FE01A0A6F683315A44F1FD,SHA256=06166F0F6042C3662CA7194BAED592425ADFB301A47EBD9D6602E210827D9D27,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595350Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:44.932{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49767-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000649401Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:49.905{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFE84E0C4BECE7750A5646279495B61C,SHA256=60206AE6F2A34703CD96AB96C3D4D44FA5C8128FB84BC947A45D84112D378D43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595365Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:49.726{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DEB1-60B8-4858-00000000C501}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595364Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:49.726{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595363Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:49.726{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595362Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:49.726{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595361Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:49.726{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595360Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:49.726{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-DEB1-60B8-4858-00000000C501}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595359Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:49.726{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DEB1-60B8-4858-00000000C501}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595358Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:49.727{97C2ED32-DEB1-60B8-4858-00000000C501}4268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595357Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:49.633{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA05020784ACE57D8E436CFB491FA723,SHA256=0630A9E4F1AF4BD311A22D27081703DDB69EA157C296E78C876943B69BF5FAAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649400Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:49.359{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E20544174BBCD9991DC45C8A41F136B6,SHA256=FE41B138A9BA5627D7DACDDF762718DF9704F81A1D51FA5F068F3FE071979FB2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595356Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:49.086{97C2ED32-772F-60B6-0D00-00000000C501}788716C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-C506-00000000C501}4092C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595355Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:49.086{97C2ED32-772F-60B6-0D00-00000000C501}788716C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-2000-00000000C501}1088C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595354Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:49.086{97C2ED32-772F-60B6-0D00-00000000C501}7881872C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-1100-00000000C501}984C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595353Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:49.086{97C2ED32-772F-60B6-0D00-00000000C501}788716C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0F00-00000000C501}924C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595352Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:49.086{97C2ED32-772F-60B6-0D00-00000000C501}7881872C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0C00-00000000C501}724C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000649403Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:50.937{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5A35E426E80A18FB1DD4981FABF632,SHA256=C186DA8337349BC091E13AF19349BE921A2A55363D2676CDA868393E601213C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595376Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:50.742{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A50C08D3A28E6AC8DE6EA54ED142CD60,SHA256=60AF3823F034D526D6130DC829F21DF3C2284AC92AEA9CF02865A47950162DD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595375Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:50.648{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AA8DCF931F15EA4E8ED05FD90DBAB71,SHA256=BFB1D3E74F7435DFB245AE8B00DB71EB8A699EFA4E4D6F689C76FAB2C2CC988D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649402Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:50.593{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAC63B54721DB16D479DB769625CC10D,SHA256=121AB6374ACB64CAEABE101F58B98B1ACDE96F6D31D7AF30BCDE951EE61CA1C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595374Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:50.539{97C2ED32-DEB2-60B8-4958-00000000C501}25163540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595373Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:50.398{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DEB2-60B8-4958-00000000C501}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595372Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:50.398{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595371Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:50.398{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595370Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:50.398{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595369Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:50.398{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595368Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:50.398{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-DEB2-60B8-4958-00000000C501}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595367Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:50.398{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DEB2-60B8-4958-00000000C501}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595366Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:50.399{97C2ED32-DEB2-60B8-4958-00000000C501}2516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000649404Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:51.984{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CADFA576B980752F988EFC595420DE6D,SHA256=92D7B1145B6386882FCB200D907C024EAA80BA6F924412EEEF98B315DDD18FD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595394Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.680{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DEB3-60B8-4B58-00000000C501}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595393Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.680{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595392Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.680{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595391Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.680{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595390Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.680{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595389Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.680{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-DEB3-60B8-4B58-00000000C501}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595388Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.680{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DEB3-60B8-4B58-00000000C501}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595387Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.680{97C2ED32-DEB3-60B8-4B58-00000000C501}3116C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595386Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.648{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=762EE0A261A4DFA287E279995F412D81,SHA256=C63EC9CEC270CB1891449A6DD9F0FE9512D689768849DF3C4049D42036CBC500,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595385Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.133{97C2ED32-DEB3-60B8-4A58-00000000C501}59082480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595384Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.008{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DEB3-60B8-4A58-00000000C501}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595383Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.008{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595382Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.008{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595381Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.008{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595380Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.008{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595379Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.008{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-DEB3-60B8-4A58-00000000C501}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595378Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.008{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DEB3-60B8-4A58-00000000C501}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595377Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:51.010{97C2ED32-DEB3-60B8-4A58-00000000C501}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000595412Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.867{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DEB4-60B8-4D58-00000000C501}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595411Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.867{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595410Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.867{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595409Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.867{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595408Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.867{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595407Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.867{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-DEB4-60B8-4D58-00000000C501}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595406Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.867{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DEB4-60B8-4D58-00000000C501}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595405Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.868{97C2ED32-DEB4-60B8-4D58-00000000C501}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595404Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.664{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC210CD57191512012FCE6C0EBBEB6C5,SHA256=4889A3E901E439136BA2ACBD39B808BD7C344614A093A0325BB20E4DF7E7DD00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649405Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:52.327{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F807BE7CEE0897663A73A7344F17932,SHA256=F99152C152C40ED640A5DE186F7ACE38988D0E18FB5879C90BEF01FA53B945DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595403Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.242{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DEB4-60B8-4C58-00000000C501}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595402Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.242{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595401Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.242{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595400Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.242{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595399Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.242{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595398Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.242{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-DEB4-60B8-4C58-00000000C501}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595397Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.242{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DEB4-60B8-4C58-00000000C501}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595396Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.243{97C2ED32-DEB4-60B8-4C58-00000000C501}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595395Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.226{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C358D5B33878BF4598CDF44B8789311E,SHA256=B7532A81AA98C8FA96538A987BF4952C4EB4A8D38C6AE11CC3964814DEF5D905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595425Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:53.664{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39521AF27E6ABD2ACD93E9C0A7C2C980,SHA256=186567B2EB7BDB7B734D842B6E8A101FA1714371085C65D9DFD62183852231BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649408Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:48.615{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49850-false10.0.1.12-8000- 23542300x8000000000000000649407Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:53.390{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49B88FBBAD57056A41892DCAFF70D689,SHA256=5A736010EC48439887ADDAF2ACF679D2ABC7D6026F6F0709C452E68C5FB91D86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649406Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:52.999{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D32BFC3D5FFFC66056791BDD30CBBD68,SHA256=5859E39A85E86C3EE0503A585D18AD11D75F303334DEAEFF5E38C585D562A66B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595424Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:53.633{97C2ED32-DEB5-60B8-4E58-00000000C501}33482848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000595423Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:50.932{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49768-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000595422Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:53.492{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DEB5-60B8-4E58-00000000C501}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595421Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:53.492{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595420Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:53.492{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595419Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:53.492{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595418Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:53.492{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595417Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:53.492{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-DEB5-60B8-4E58-00000000C501}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595416Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:53.492{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DEB5-60B8-4E58-00000000C501}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595415Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:53.493{97C2ED32-DEB5-60B8-4E58-00000000C501}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595414Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:53.258{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E9800E755C1B9C93A543D0189B0D0316,SHA256=ECD92A785A531FB0AD28934A5593415AF25E6BD9FA42B498019ADB3F135B1EBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595413Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:52.992{97C2ED32-DEB4-60B8-4D58-00000000C501}13843320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000595427Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:54.680{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CC259515DABE77386B7F81BD7796939,SHA256=082EF6FBF1E7CBD619D3E713AD2023DD3B6FD52801A4CA853D3C8877A8B8E473,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649410Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:54.530{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADA0919BE48B28FFAD95E2CF5CE12AF6,SHA256=9C43A197D7822164F4D6C186E4318C7A0EF6C61BD06FE906162AE40187543D5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649409Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:54.062{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E74F5803031A8C39EFC68CBD7C571EF,SHA256=15956B218966B9C57D71B280BABE0F6F5ADC582FA24216BA5BAF8342EBA60FE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595426Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:54.664{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF6AB3AB5248BD04E3CEF6DCFB5DFDB3,SHA256=B0850D22AC060FB5D2186D84DD372CD326097A5003E88E638DA7FD8479EA5351,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595428Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:55.695{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51643179F5F9D24E9CC22AB7F95A928C,SHA256=9C2958F539F52FCB212A77EAD350BD640E6B18D5BDEF7FF4EB0B19423ADB1097,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649412Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.796{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E869589D762C98B14E72901DCD569DCA,SHA256=C74258C1E650D82D53BEB445453FC6E6661FD8F82EA0BD561B818DF10BB71292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649411Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.077{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C93BCD3DFEF95D319BB055FF97341B5E,SHA256=7FFF2FE2D833CAAB2F5155752700CF44C31B38079EA4D11A823C8978E6B70AD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595429Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:56.700{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2338326C13404B89D45DE3375E4140C7,SHA256=76CC9D33D728948FEBC28C342EDC668A4E6A5AB4C638D0C49037A9FB63804CAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649413Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:56.093{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6C80148B4560FDA74CE654248B06F73,SHA256=9DB3298C5C10272D7D0C8863EBDD2D06B86E21D2D43530A822C60279316F3D16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595431Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:57.700{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EC911E6FD09D8497D8ACE5BEADCE893,SHA256=ECEAA1F0B65E85F0DE37067BAB7A57F3D4191C8F6FB7DAC6FE5DA4421B1A4026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649415Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:57.254{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3FB7D391D6CD8933DBFE8C4EBA52F35,SHA256=4FCA2EC400E4D9E05A827AC9FFBD8629860D50EB251673BCAAE11169473B640B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649414Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:57.160{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD696F7C98B93212F00F5C395EC1CCC9,SHA256=9E34B6C396172FD8ED212507233B6ACBD2D3E6C1E0402AE2CDB7BA331F54CDB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595430Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:57.262{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595434Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:58.747{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6314CB71E3B2B311A4E906C19924200E,SHA256=13AC0D930F560FD9FCA4597685D825BB82C5CF8858C8FF2760F70F6ECF4C9D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649450Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.894{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7A2CB29451556734981F83CD12CEA688,SHA256=031703EE7BC4C29D63D9F8EFAC7CB5E3D0F0B860BDA3CDB1DCDC0552607001CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649449Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.535{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=667A6344AB9DAE05DF25F30B8C3234DE,SHA256=8F082AB0D25E4ABC5F24F892AFF9AC6B6A14487556D169836D609F5BE8966B89,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649448Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:58.410{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\ZDQxOWU0NWItZWU4My00NDAxLTg1YzktNzNmMzNmMTc0MTRi.bin2021-06-01 18:15:53.751 23542300x8000000000000000649447Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.410{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\ZDQxOWU0NWItZWU4My00NDAxLTg1YzktNzNmMzNmMTc0MTRi.binMD5=6D7D70AE31C279FE84C30CB809F05229,SHA256=17F7DBFBDF7ADD68F057134463D791A5056967AEA6C7209C628AE257244D799E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649446Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.394{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135258_computers.jsonMD5=33567B858E18E75BFBBE3295D6CE4CBE,SHA256=C867058A174CF386BDF326276649D85975D023EFBC3A450211F184385D2F6A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649445Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.394{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135258_domains.jsonMD5=7A427216FBAAD1AB6641EA318B845AA1,SHA256=760C0B1D64FCC7B229DBDF88760CE9C5946D3AECA6A755A0C06F9E3ED22985CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649444Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.394{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135258_users.jsonMD5=C955FAAB4D2234C39EC98F29D9633725,SHA256=1FBA8B055788E4C0EBFB5893EE3E703FD1FF34DC828785DD4F68E1EF639FDB0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649443Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.394{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135258_ous.jsonMD5=1B470A6B21DC8CF7E99B5A250F76A852,SHA256=DF466F78B20C0737EB9A9F42CD09D7857F9BCCAC9B02ACE555E31A4D2B3436DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649442Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.394{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135258_gpos.jsonMD5=15200722E11C8FB935E1EB3A62BD407C,SHA256=E06941E35D85F9C7A3CF19EBC4D157BAA9AAB7FEBF4592E678EC88E2B4803062,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649441Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.394{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135258_groups.jsonMD5=C1743B670BCE65953F12359D239562A9,SHA256=1FBCB204AF66F3F8913CECD7C6261F0ABD85D108E638ECFF9ED143CA371DD6D8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649440Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:58.379{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135258_BloodHound.zip2021-06-03 13:52:58.379 11241100x8000000000000000649439Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:58.332{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135258_computers.json2021-06-03 13:52:58.332 10341000x8000000000000000649438Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.332{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649437Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.332{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000649436Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:58.332{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135258_domains.json2021-06-03 13:52:58.332 10341000x8000000000000000649435Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.332{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649434Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.316{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000649433Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:58.316{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135258_users.json2021-06-03 13:52:58.316 10341000x8000000000000000649432Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.316{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000649431Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.316{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000649430Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.316{D419E45B-752D-60B6-0B00-00000000C401}6321072C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000649429Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.316{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 11241100x8000000000000000649428Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:58.316{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135258_ous.json2021-06-03 13:52:58.316 11241100x8000000000000000649427Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:58.316{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135258_gpos.json2021-06-03 13:52:58.316 11241100x8000000000000000649426Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:52:58.301{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135258_groups.json2021-06-03 13:52:58.301 23542300x8000000000000000649425Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.176{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB8B63C3F336D59D2314E5D9A4F0E4D7,SHA256=77F3190394198FFEA4654A985662711C64FBA05F9A5721E44BB19B93FEA1E334,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595433Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:56.078{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49769-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000595432Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:58.247{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9CD28112AA7D820191CF9B59AA3912A,SHA256=4EC317B27D72B69E06CDD0022957A4E43AB4C77280250A063491B0F614B58281,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649424Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.082{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649423Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.082{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649422Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.082{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649421Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.082{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649420Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.066{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649419Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.066{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649418Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.066{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649417Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:58.066{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000649416Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:53.725{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49851-false10.0.1.12-8000- 23542300x8000000000000000595442Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:59.762{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5E15FBBB3069E7B6FC1876D7D42EB2C,SHA256=1D03E3EBD90106D8DBFD1389AC0472B2EE09482EE57673DF05AC0F8DC015DED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649478Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:59.613{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F16536F864EE675F46412CF47259A384,SHA256=AA1C3B71E49D584501E6B767C8FE3F52659B5A3A9A64A76FA2ADC4953EFFC2EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649477Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.809{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49860-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649476Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.809{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49861-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649475Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.809{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49860-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649474Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.809{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49861-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649473Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.807{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49859-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649472Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.807{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49859-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649471Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.807{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49858-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649470Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.807{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49857-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649469Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.807{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49858-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649468Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.807{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49857-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649467Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.807{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49855-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649466Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.807{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49855-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649465Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.807{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49856-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649464Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.807{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49856-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649463Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.807{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49853-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649462Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.806{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49854-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649461Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.806{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49853-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649460Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.806{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49854-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649459Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.614{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49852-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649458Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.614{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49852-false10.0.1.14win-dc-233.attackrange.local389ldap 23542300x8000000000000000649457Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:59.222{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=649F0AE45AC06E9BAE00E6C2A53AA26F,SHA256=2DF3BCF07E11AAEC70719DEC8FC5FF0EF8F23FBBDAAE945CE9F46BD4FF3EFE04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649456Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:59.222{D419E45B-7530-60B6-1600-00000000C401}1268888C:\Windows\System32\svchost.exe{D419E45B-DEBB-60B8-754E-00000000C401}3416C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649455Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:59.222{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-DEBB-60B8-754E-00000000C401}3416C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649454Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:59.222{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-DEBB-60B8-754E-00000000C401}3416C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000595441Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:57.150{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49867-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595440Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:57.149{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49866-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595439Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:57.148{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49865-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595438Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:57.143{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49864-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595437Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:57.132{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49863-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595436Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:56.890{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49770-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595435Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:52:59.294{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A665FBE920AD5BC04C9E847312586C40,SHA256=4F7E32A09A8035433720EB779961AFAE234D0244CB9207B41A03BB5AD9C36C24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649453Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:59.207{D419E45B-78A0-60B6-AD02-00000000C401}2284924C:\Windows\system32\csrss.exe{D419E45B-DEBB-60B8-754E-00000000C401}3416C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649452Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:59.207{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-DEBB-60B8-754E-00000000C401}3416C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649451Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:59.207{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-DEBB-60B8-754E-00000000C401}3416C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000595443Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:00.762{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=835381D77E959DCF3DFC4E6C5F73DEE9,SHA256=096621010138E6CF30E58DB3CD6B92CC34A662B5D3599AC5AA18C82601B401DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649493Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:00.754{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0DCA50E25B385580DE690E557CAA027,SHA256=7102EA97E1B4901292F6EFE24B5217D65C632C9DCA868B378BADA19F897080EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649492Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:00.754{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9300E564CE372470BECA02EE1B723089,SHA256=B66438B238FBDA6A334E0944F7A96B97BE2BD47D2F2F17AA6C8D86D2966BC561,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649491Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:00.254{D419E45B-752F-60B6-0D00-00000000C401}9044156C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-0F00-00000000C401}360C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000649490Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:00.222{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649489Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.865{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49869-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649488Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.865{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49869-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649487Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.863{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49868-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649486Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.863{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49868-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649485Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.849{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49867-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649484Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.847{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49866-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649483Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.846{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49865-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649482Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.841{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49864-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649481Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.830{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49863-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649480Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.828{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49862-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649479Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:55.828{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49862-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 23542300x8000000000000000595445Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:01.887{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A8203582804810D3D4C3DF3F117A3562,SHA256=EF67FF34758DD3DF3D9BD6B875AB096C9F8097D23446578B420075FB6D2CC715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595444Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:01.762{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD13ED1B95D7F7EC25F40F786B42874F,SHA256=11C9BB23DF67A37EFC3C6D20024A47A12A10895F1B68A1DA48C43732B63C5CCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649494Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:01.269{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA6FF87622BB8DFC9D7578C97FB04C78,SHA256=5C8D52918C13A851FF4B248F9C0319118DDFC63F598335657FA1B79E9D30CB57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649498Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:02.847{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBADCC79B38E4B45D4E5D81937107A6A,SHA256=502552ED26B2F6A1ED6C9AD44A9CEE874400368ECA6ABE045E42F56EFEF85DA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649497Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:02.441{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AA1ACAFBE9280D0D6BFFB37DFFFE95D,SHA256=4FECBE6667B4E0C1738B9892C4791AB7C2F08D502D914A940833AE47FB4A94D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595446Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:02.793{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE387E46DFCCFB193822B9BC6ABB5B1,SHA256=9C1E34568BB839DDE959BDBF4C414FB2BD49E40B21A4947EF18885B88ED4DC9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649496Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:57.745{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49870-false10.0.1.12-8089- 23542300x8000000000000000649495Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:02.004{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=370B709C809E854B0BB2BCE140C0C391,SHA256=DFD6E4663D956A267348FF69E14FA0AC3F4CC7E2C26B71A710128FA002F52859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595447Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:03.809{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD291149B860E56D2F57892580B241F,SHA256=050860DB91ABA7E2623E88B02D8C33054C027D0EAC77903590AC7C733644EEB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649500Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:03.988{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B01F9D2540433F3692EF58651B7CA6BD,SHA256=031D3E225976257EC02F47C2E5B5FC934B033020C345E083761EF0ACE436D4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649499Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:03.488{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F324E0D1AFA94AD07234A8E377F1702,SHA256=57F1270FE1F0C45316CBAA739C6392D945311EC454C4B1FE861F674F98BD1DF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595450Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:01.890{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49771-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595449Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:04.825{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC725D81F4433A7FE414441F5622B83F,SHA256=6879C79C315CCA5D9CB35C170242CD88DD3DC92BC30D3A4BFBAF435C3D233282,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649501Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:04.504{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79619D1819F1045442FAA075574771C9,SHA256=524488F2B19D9157CBB1253F46080C0B264FB0348F9DC1779901DA9D4B2EE4DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595448Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:04.059{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37136D7D78E5FA47FD285C65DE3546E6,SHA256=41D6A052900FB8B604B8D583D9DADF7D4AD9733081642BF45F080580A86C2C8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595451Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:05.840{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=463E666E3880A8E4AD26DDD79AE110C3,SHA256=45154A1FC7EE6E07C93AED85F258A74D43646665EDEB2C0C00316707F762CD75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649504Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:05.519{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A17657C5D4304B2DB38081656CCC9849,SHA256=1193055E3B4A70204E8C5B949F29E251F7729FD844D444F5FEFCB9C913DA70E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649503Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:52:59.729{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49871-false10.0.1.12-8000- 23542300x8000000000000000649502Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:05.238{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83EA699EB943C6545A814ABB8F9AFFE3,SHA256=511B561F0008AC7DF13E24DAF99746FC6E24B42CBA73AC771494F5F1A046E18E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595452Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:06.887{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C25F78C77603E4B1B3F9016C7CB68A10,SHA256=BE8702CAB1DE179EE8E87CEE49FD795422508CD5A250728255C06F968739659B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649508Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:06.551{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7914B3B5981C5598E029FA32678630F8,SHA256=0BDB1968FE724DCEFBB156903EB6558C25E37747A44587A689A4801C879FCEDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649507Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:01.558{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local49872-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000649506Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:01.558{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local49872-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000649505Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:06.254{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CFFD0B7C55FF61BE8D0DB51F4CA80DE,SHA256=4C6779014060D397825C7A0236B44DDDB0806380E79B3A837A1AE4B16145CE20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595453Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:07.903{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32786C7BFA83AD19859D1CB371F2077B,SHA256=D27921B19FB2738C7D457F2B81A83AE2E696AED8C8C133838FD0172A2FD362E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649510Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:07.785{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2B30D446707B546A21C1912CAA28415,SHA256=9DCB74FAB69D4B9BC9915F95BF8EF967C128ADD891E687F4964984A2043CB4ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649509Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:07.722{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E535787237ADA1880407B5DC373CEED9,SHA256=4132C6ABF81056ADDD9EC6405FDA7C4198D935B15AAD8B58444A6AA11E10C050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649512Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:08.894{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8FCB7354A29776262720A77566A96C0,SHA256=27D716343CF71ECE8B5BF1A60759DEA9EF3D8668DD500ACCDD2488AA33F846AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649511Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:08.754{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1249E4A15AE5282F171D6D96A7487CE9,SHA256=F86AD310E856602B4633095A3D5C7689CE7FA15440153CE17EAA5EDD010EAA83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595454Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:08.918{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D65D6F9DF20FEB8AD077C3F5EBB587D1,SHA256=4FCFBAB9B806FA7398F4F09ED9E40EF48D643088E6B96711787E0233D45F9232,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595458Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:06.890{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49772-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595457Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:09.919{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC242D640FC2F552E66DB9DA828FCE6,SHA256=BC7AD5E13C4ED37161CEA04DE732B183B7D7ECDE7C76C13543106BE504156D3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649513Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:09.769{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51281A430DF51EADD88A4336ACF1DEF9,SHA256=D880553AD3489C88A676D3325364CE26DDFCC21C26734C9D67B190545C6D95CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595456Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:09.090{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C350D1A1CA2F6CABA82418669176318F,SHA256=890EEFA61D63A65EC20E585904CAE186AA0A819A7388B6650BBE18D7376B339E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595455Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:09.090{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33D136C2CF7A05FA04ED2A056BF4CB76,SHA256=347F40DD6B5627629A0339C5100A4269497D438B83CAD28A2B48873FB2DF8765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649516Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:10.785{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97F5C69DBD6EFE4045431A22194CB403,SHA256=0EB4E2155763B398E8F4703FD42DED38436B66FD89A4292190B3B84283BB3E36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595485Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595484Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595483Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595482Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595481Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595480Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595479Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595478Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595477Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595476Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595475Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595474Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595473Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595472Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595471Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595470Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595469Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595468Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595467Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595466Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595465Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595464Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595463Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595462Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595461Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595460Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595459Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:10.106{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000649515Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:05.729{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49873-false10.0.1.12-8000- 23542300x8000000000000000649514Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:10.051{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAA86DEF5436DE2A28306FB6ED1152A7,SHA256=6FDEA9B3B3C6ADA2FA8F21D59C95F3F3D52BD026C0928C40158AE08D5E32CC3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649518Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:11.832{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73977ECDD75331E6F404087026E1A604,SHA256=240C0BA865B5A8DBB927C19F8AB8B293BF3919BE9B62FF2970D3AAF1453C2206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595486Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:11.153{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=459FC8C6CECDB5A9F058B17C1F7EB553,SHA256=CD2ADE3B56DD41BD03C1DCAFAA6751472F15711447D7E0B09ED64EA22EDA1D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649517Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:11.222{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=717DCF842E031818B96F65F562980DB9,SHA256=1327E974B2ABEB16365296A123DD14266237D2BD47FBA70BE7649EFF6B35614C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649520Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:12.879{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAC902F1A5FA7830FDA05597BACD1F47,SHA256=6197C3A99E886AADE9F0D64B2A1C0A15A4BE95BD46A12402AA3DA582C2A8B47B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595487Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:12.387{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465BC2BD720A1C5BFFD8AFBFF3F0A037,SHA256=CAE735ADB95514ED36126A3E4B474FD71626A9DA443247EE5D797A0F9BEF7A8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649519Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:12.441{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6B5712C6D18088C3017F3B767ABA2FE,SHA256=21C56A587CA208C3C665C4DFB3B3166E8B650CFFF2BED5A07F284CB4A32F1460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649522Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:13.910{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F86F0FC3B1B9437B8D3DA24CA08F1A04,SHA256=FBBC139D19A931B0120F9EEDD1F34E7CF30E82FC426EF87C7719CFE47A30E022,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595488Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:13.419{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A88787D6F39A4A04BB8CA5E7AC739AB4,SHA256=6C5048BA11AA43B367EA3C5E1C30A7F4275F9124CCC364131045C6F5DB99282A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649521Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:13.738{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=884A8D13DC93B43983F1C3242123BF97,SHA256=222CA64ACC090A9C48E5D558896F682A7265932E59C76112CD1CE5AB6958C064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649523Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:14.910{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BC7BD54BEC56B84901E7B944235F1B6,SHA256=9EFA8D01DA6312D92DA1FEF35AF8B9E5894848C267C6A08F58340D2BA66506F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595491Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:14.419{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE5ED9F2AC4A072B40796ABD04434EE4,SHA256=A7826FE8BB0CC8849AFA0725CC433A6C639A274B65BD2CBB33F8C8BFD80FCF30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595490Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:14.122{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A179F79511C65E342A5068FF0B4753B8,SHA256=CB796B2DE24A00B82F9D07F0EC01AAB071C88A881FA96EA35CAD05FC419CAB33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595489Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:14.122{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C350D1A1CA2F6CABA82418669176318F,SHA256=890EEFA61D63A65EC20E585904CAE186AA0A819A7388B6650BBE18D7376B339E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649542Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.926{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAD1E5FE70877DC8BCF5CBCF6A6971EF,SHA256=823F11D41A421B4B333189796D516F3058D8E4A55FAF3846A0ADCEABFBCA77C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595492Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:15.450{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9F3E147D2733A4085E3BD6CA5FB0F48,SHA256=AB8570F732CAFC25E940B6F6773F3042FB39CB906F723C9E354E08D61408A88A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649541Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.863{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DECB-60B8-774E-00000000C401}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649540Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.863{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649539Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.863{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649538Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.863{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649537Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.863{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649536Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.863{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-DECB-60B8-774E-00000000C401}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649535Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.863{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DECB-60B8-774E-00000000C401}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649534Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.864{D419E45B-DECB-60B8-774E-00000000C401}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000649533Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:11.760{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49874-false10.0.1.12-8000- 10341000x8000000000000000649532Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.191{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DECB-60B8-764E-00000000C401}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649531Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.191{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649530Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.191{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649529Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.191{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649528Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.191{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649527Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.191{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-DECB-60B8-764E-00000000C401}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649526Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.191{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DECB-60B8-764E-00000000C401}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649525Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.178{D419E45B-DECB-60B8-764E-00000000C401}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000649524Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:15.035{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAEF716DC520B548412E71613F5706F4,SHA256=6CE165CC5D9EE7059481B5AE1EFE0072024D86D4650F20572173B93985BAB34A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649564Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:16.936{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5004A0760577AC0A03CD504D45CA0B38,SHA256=EFB76B1A02A84685B8E616281F64B70FAA4AB79A72475652BD6E6875AEE5F19D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595494Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:16.460{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D03D79C8A7B90853A29F0ABE26D961E6,SHA256=FA864AEDB285E546B59BA7330FEB1D0F4F909351010C90A05FDD13BEC5B06BA5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649563Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:16.701{D419E45B-DECC-60B8-784E-00000000C401}48161368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649562Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:16.529{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DECC-60B8-784E-00000000C401}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649561Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:16.529{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649560Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:16.529{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649559Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:16.529{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649558Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:16.529{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649557Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:16.529{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DECC-60B8-784E-00000000C401}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649556Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:16.529{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DECC-60B8-784E-00000000C401}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649555Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:16.530{D419E45B-DECC-60B8-784E-00000000C401}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000649554Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 13:53:16.332{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000649553Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 13:53:16.332{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x096c9b32) 13241300x8000000000000000649552Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 13:53:16.332{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d75877-0x6b5302a9) 13241300x8000000000000000649551Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 13:53:16.332{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7587f-0xcd176aa9) 13241300x8000000000000000649550Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 13:53:16.332{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d75888-0x2edbd2a9) 13241300x8000000000000000649549Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 13:53:16.332{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000649548Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 13:53:16.332{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x096c9b32) 13241300x8000000000000000649547Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 13:53:16.332{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d75877-0x6b5302a9) 13241300x8000000000000000649546Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 13:53:16.332{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7587f-0xcd176aa9) 13241300x8000000000000000649545Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 13:53:16.332{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d75888-0x2edbd2a9) 23542300x8000000000000000649544Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:16.316{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F5F4991834C950471E7E8439187DC57,SHA256=AC28A5F861802BB88753B3D71B234955D3708CF779C4311499DB973360120B83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649543Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:16.035{D419E45B-DECB-60B8-774E-00000000C401}7603716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000595493Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:11.937{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49773-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000649583Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.951{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F24346A271F8A8B00939B75AFE2BE7B8,SHA256=B0E65361CCCA48A63609E1D9DF775F6A37131DA8801D6465D5CCD29C68957797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595495Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:17.476{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CEC9BC0ED8182C9746F2BC7B7B1F01D,SHA256=6674F0684814530A78142825809A45EE21EA81AB137D069B157FD73E2E7D99B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649582Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.889{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DECD-60B8-7A4E-00000000C401}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649581Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.873{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649580Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.873{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649579Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.873{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649578Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.873{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649577Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.873{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DECD-60B8-7A4E-00000000C401}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649576Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.873{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DECD-60B8-7A4E-00000000C401}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649575Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.874{D419E45B-DECD-60B8-7A4E-00000000C401}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000649574Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.498{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA680AF166485C87F637F35BC4F3E7E9,SHA256=0EAD38FCE362D4E14E8E9FD9B3A5BAF1DC2A505D9600F72786B8F090DA47E447,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649573Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.373{D419E45B-DECD-60B8-794E-00000000C401}60405424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649572Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.201{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DECD-60B8-794E-00000000C401}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649571Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.201{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649570Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.201{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649569Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.201{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649568Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.201{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649567Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.201{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-DECD-60B8-794E-00000000C401}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649566Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.201{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DECD-60B8-794E-00000000C401}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649565Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.202{D419E45B-DECD-60B8-794E-00000000C401}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595496Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:18.491{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=743AE0A887B69D175247D0E6F947FBD1,SHA256=6B18B2ECBB7AF47C0E56EABF57BDD803D4887454B00C29749F38F1B5BA76BC79,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649593Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:18.545{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DECE-60B8-7B4E-00000000C401}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649592Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:18.545{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649591Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:18.545{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649590Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:18.545{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649589Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:18.545{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649588Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:18.529{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DECE-60B8-7B4E-00000000C401}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649587Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:18.529{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DECE-60B8-7B4E-00000000C401}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649586Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:18.533{D419E45B-DECE-60B8-7B4E-00000000C401}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000649585Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:18.529{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6AB3FACAA4BA925155FF775B9E279977,SHA256=8E6F408D79FFB041640EB909F0C454594F8C1E9D5D2AC4DA949B80F45D1647A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649584Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:18.045{D419E45B-DECD-60B8-7A4E-00000000C401}55644480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000595497Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:19.507{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCB5722724B00F05CBF8CF174482BF3B,SHA256=DA2476C08931DBB777D2414DC41394E6C615D249E5AFDB52EE81AA2164DC8E22,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649654Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:19.951{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135319_computers.json2021-06-03 13:53:19.951 23542300x8000000000000000649653Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.951{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33F6CB1CB3E54F1C7FF845EFC9A860EF,SHA256=B9BAF28CBADDF0AF5C56E6379BE512452449E73CB5F9292DB1D1A25ED029757D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649652Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.936{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649651Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.936{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649650Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.936{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649649Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.936{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649648Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.936{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000649647Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.920{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 11241100x8000000000000000649646Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:19.920{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135319_domains.json2021-06-03 13:53:19.920 10341000x8000000000000000649645Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.920{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000649644Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.920{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000649643Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.904{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5520EAB2D4D4F2B474018A3980AD603,SHA256=CEAE80A8397DC63F389FBE351CD852230D83F998B7C581E7A6EA7707B056FA78,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649642Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:19.889{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135319_ous.json2021-06-03 13:53:19.889 11241100x8000000000000000649641Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:19.873{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135319_users.json2021-06-03 13:53:19.873 11241100x8000000000000000649640Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:19.873{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135319_gpos.json2021-06-03 13:53:19.873 23542300x8000000000000000649639Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.858{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64A01646A3FD44E84ABF3DE2D63350AE,SHA256=009197F949E1862D8A012AA3C7B8E99DD20A1FAE7D2260EEE5294040B8151674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649638Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.858{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7773B2BE2EC2E2CDB867CD5596A75E91,SHA256=5111354D767E60EA382030502DA64F72024EF2B8F5FF8B75313BC69BF779EFB9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649637Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:19.858{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135319_groups.json2021-06-03 13:53:19.842 10341000x8000000000000000649636Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.529{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649635Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.529{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649634Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.529{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649633Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.529{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649632Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.529{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649631Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.529{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649630Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.529{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649629Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.529{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000649628Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.420{D419E45B-DECF-60B8-7E4E-00000000C401}6360ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649627Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.358{D419E45B-7530-60B6-1600-00000000C401}1268888C:\Windows\System32\svchost.exe{D419E45B-DECF-60B8-7E4E-00000000C401}6360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649626Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.358{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-DECF-60B8-7E4E-00000000C401}6360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649625Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.311{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-DECF-60B8-7E4E-00000000C401}6360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649624Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.311{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-DECF-60B8-7E4E-00000000C401}6360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000649623Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-CreatePipe2021-06-03 13:53:19.279{D419E45B-DECF-60B8-7E4E-00000000C401}6360\PSHost.132672019991954406.6360.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000649622Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.264{D419E45B-DECF-60B8-7E4E-00000000C401}6360ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_25mihogc.twn.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649621Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.264{D419E45B-DECF-60B8-7E4E-00000000C401}6360ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_hh5czhq4.yoi.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649620Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.248{D419E45B-DECF-60B8-7E4E-00000000C401}6360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_hh5czhq4.yoi.ps12021-06-03 13:53:19.248 10341000x8000000000000000649619Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.233{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-DECF-60B8-7E4E-00000000C401}6360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649618Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.186{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DECF-60B8-7E4E-00000000C401}6360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649617Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.186{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649616Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.186{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649615Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.186{D419E45B-78A0-60B6-AD02-00000000C401}22846244C:\Windows\system32\csrss.exe{D419E45B-DECF-60B8-7E4E-00000000C401}6360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649614Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.186{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649613Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.186{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649612Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.186{D419E45B-DECF-60B8-7D4E-00000000C401}53481652C:\Windows\system32\cmd.exe{D419E45B-DECF-60B8-7E4E-00000000C401}6360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649611Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.195{D419E45B-DECF-60B8-7E4E-00000000C401}6360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe import-module c:\temp\SharpHound.ps1C:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D419E45B-DECF-60B8-7D4E-00000000C401}5348C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\SharpHound.ps1 10341000x8000000000000000649610Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.186{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DECF-60B8-7D4E-00000000C401}5348C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649609Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.186{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649608Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.186{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649607Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.186{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649606Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.186{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649605Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.186{D419E45B-78A0-60B6-AD02-00000000C401}22841824C:\Windows\system32\csrss.exe{D419E45B-DECF-60B8-7D4E-00000000C401}5348C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649604Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.186{D419E45B-A18D-60B6-EF0A-00000000C401}32001160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-DECF-60B8-7D4E-00000000C401}5348C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11de81a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1121804c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1127babe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125d95e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1124e67e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125bbc0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b732(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11240385(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1123f8f7(wow64) 154100x8000000000000000649603Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.178{D419E45B-DECF-60B8-7D4E-00000000C401}5348C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\SharpHound.ps1C:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x8000000000000000649602Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.170{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DECF-60B8-7C4E-00000000C401}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649601Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.154{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649600Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.154{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649599Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.154{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649598Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.154{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649597Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.154{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-DECF-60B8-7C4E-00000000C401}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649596Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.154{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DECF-60B8-7C4E-00000000C401}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649595Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.156{D419E45B-DECF-60B8-7C4E-00000000C401}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000649594Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:19.108{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53B978654056C2B9CC863F015EE6DCCC,SHA256=AC7D038D19DEAA7C5BB428221115E4D7350E9E674DCA3A9006FDB77FF0D0D552,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595502Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:18.708{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49886-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595501Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:17.853{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49774-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595500Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:20.538{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D25F5FB46E9DDA8A2E784090730FBE5,SHA256=CD29B6C9AA4B78A047E9D98472C9C623A3C2DEC7A8A2EC11D360BF17111BD2C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649694Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.322{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49884-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649693Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.322{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49884-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649692Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.309{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49883-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649691Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.309{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49883-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649690Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.308{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49882-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649689Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.307{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49882-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649688Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.307{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49881-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649687Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.307{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49881-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649686Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.305{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49880-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649685Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.305{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49880-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649684Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.304{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49879-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649683Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.304{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49879-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649682Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.303{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49876-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649681Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.303{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49878-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649680Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.303{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49877-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649679Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.303{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49876-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649678Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.303{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49878-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649677Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.303{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49877-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649676Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.065{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49875-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649675Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.065{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49875-false10.0.1.14win-dc-233.attackrange.local389ldap 10341000x8000000000000000649674Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.264{D419E45B-752F-60B6-0D00-00000000C401}9044464C:\Windows\system32\svchost.exe{D419E45B-A157-60B6-E60A-00000000C401}3196C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649673Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.264{D419E45B-752F-60B6-0D00-00000000C401}9044464C:\Windows\system32\svchost.exe{D419E45B-A157-60B6-E60A-00000000C401}3196C:\Program Files\Internet Explorer\iexplore.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649672Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.264{D419E45B-752F-60B6-0D00-00000000C401}9044464C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2B00-00000000C401}3008C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649671Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.264{D419E45B-752F-60B6-0D00-00000000C401}9044464C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1200-00000000C401}480C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649670Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.264{D419E45B-752F-60B6-0D00-00000000C401}9044464C:\Windows\system32\svchost.exe{D419E45B-78A3-60B6-B402-00000000C401}4592C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649669Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.264{D419E45B-752F-60B6-0D00-00000000C401}9044464C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-0C00-00000000C401}848C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000649668Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.217{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A1F4C682495DD0B992B54D97CA219D8,SHA256=5428673C915D71A2A2FC3807BC3F6B0D3AE633CBD31B5293AED5E28EE3C59FDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649667Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.170{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3C9C62FD7F8E6B5EB9012B3ADDCA1075,SHA256=27D7D6FB3BF3154CDD9F67EC085DCBB60EDBA86B1E91427099FC5C7D9E67A4FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649666Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.139{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B338EC2B191B3B0B28B1030193813E99,SHA256=37510E981B359B3BB44901160C94CAE6E61806D8D4E7E6312CC546E0A59CDC7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595499Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:20.022{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F686622CB35EB4693ACD5FB0998B1BDC,SHA256=3ACA030B34B93AF3CB36F34DA881930FDC2445C58FD3074965A631867E3A67B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595498Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:20.022{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A179F79511C65E342A5068FF0B4753B8,SHA256=CB796B2DE24A00B82F9D07F0EC01AAB071C88A881FA96EA35CAD05FC419CAB33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649665Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.108{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFB01CAE9E745F3BBE05B118A00E852C,SHA256=A8239733D3BD991E6EC94F33A3651D990DCF4E9FA5E7D90D7809AD22071E7D16,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649664Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:20.061{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\ZDQxOWU0NWItZWU4My00NDAxLTg1YzktNzNmMzNmMTc0MTRi.bin2021-06-01 18:15:53.751 23542300x8000000000000000649663Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.061{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\ZDQxOWU0NWItZWU4My00NDAxLTg1YzktNzNmMzNmMTc0MTRi.binMD5=2FB780692208D5190ACAD6F89B23A22E,SHA256=147E57D1F52087A7B0C5A987B78E5975CEC3F4BA43C13A8A97A4C9E8CE545083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649662Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.045{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135319_computers.jsonMD5=33567B858E18E75BFBBE3295D6CE4CBE,SHA256=C867058A174CF386BDF326276649D85975D023EFBC3A450211F184385D2F6A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649661Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.045{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135319_domains.jsonMD5=7A427216FBAAD1AB6641EA318B845AA1,SHA256=760C0B1D64FCC7B229DBDF88760CE9C5946D3AECA6A755A0C06F9E3ED22985CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649660Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.045{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135319_ous.jsonMD5=1B470A6B21DC8CF7E99B5A250F76A852,SHA256=DF466F78B20C0737EB9A9F42CD09D7857F9BCCAC9B02ACE555E31A4D2B3436DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649659Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.045{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135319_users.jsonMD5=BFF8DFD6363F258D55DD0F64AB4A52A6,SHA256=1850C27B919183A08336154561DEEB2095D8C3D0D4C7C03A70AF82659A37E4D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649658Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.045{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7DA1B2C0B994D2BAB192A900C1BC8E9,SHA256=1D0DD54F02D811722507D323ECBD30C24D75F32E70BC77FE062999ECFFC0EF96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649657Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.045{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135319_gpos.jsonMD5=DCB570C80F70EAC0F6A8803BF8F48F7F,SHA256=C57F8C8470A8B1832A69F537DC41F66B22B6EB03D2CFF0E8AD53EEE1E4BA0F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649656Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:20.045{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135319_groups.jsonMD5=C52680A605F7AA416CFBEB0F63934D9E,SHA256=2AB34C80D63C54E9488410C31A43FE5898D10045566F562359E2E588B8EBD73A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649655Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:20.029{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603135319_BloodHound.zip2021-06-03 13:53:20.029 23542300x8000000000000000595503Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:21.554{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=680443575661EB2445ED4BF88EBA1D2B,SHA256=525438528C5C01A99ED37939C4C70AD624E7682945EBF840BABBBA18F95EF11C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649707Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.479{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49892-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649706Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.479{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49892-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649705Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.471{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49891-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649704Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.471{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49891-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649703Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.449{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49890-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649702Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.448{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49889-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649701Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.447{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49888-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649700Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.441{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49887-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649699Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.406{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49886-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649698Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.404{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49885-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649697Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.404{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49885-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 23542300x8000000000000000649696Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:21.373{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8B42F406517939613C7BBFA00C24CFB,SHA256=E2F730392F1D7C6A188390FDB4194DC1DAFFD66C38BAAE7B048D66F882529275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649695Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:21.358{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A55998E953E9279EB21E0131D203BE,SHA256=70706B82331B4FE29167111033CDA19265A828461021E6B6359217F77D3C7AC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649710Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:22.514{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5EEBFBCED083DBF7123549DE6A5E5F1,SHA256=94724DDF38E0765386978E15D39815CA57E50A7FA7953D24C74BA26A7E595172,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649709Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:17.583{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49893-false10.0.1.12-8000- 23542300x8000000000000000649708Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:22.404{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24744B835DF00AF5DFA530B0D495E9E9,SHA256=E5D0F77CE878BDC2D4AC8ECCBB38D5791A342D98E082A91A0ACFF1A63D13E5A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595508Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:22.554{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54D8C7A72B7EF31FB8BD1A2C18ED77E9,SHA256=A44981AC26C921AAA5B891F9FA1A0D9D1149BB6F1254C2C7788D1541C5668F72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595507Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:18.751{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49890-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595506Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:18.750{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49889-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595505Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:18.749{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49888-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595504Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:18.743{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49887-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 23542300x8000000000000000649712Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:23.654{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C14DF3B8AE8BA3C56E2A0231D6498079,SHA256=C4BF7EDEBD1CC5514FC32A106820535C1BCD3775CB4EF350BB2A3323A75CE1A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649711Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:23.498{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB6F3BFF9E1330E7360ED872403A3D6B,SHA256=22E304794C2632B07B076A8188A790AA30EB44A0AF7A9302061DD4F23CAB03B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595509Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:23.571{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=675B21841C2602D6925A089C3BDF01F7,SHA256=5E390AA7FC0CEB22A32A07F30C3A9E413B767217CE96FDF7FBD9CA851F42EE3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649714Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:24.795{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EB11C6CC3DEE54A2A6018D28AC38F64,SHA256=78A910943FC6284E6A9F1F71898F4379D7B655F80E34CC88CE9C161DB6AD5F94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649713Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:24.514{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3050590F589A9F270FEC2993F76D537B,SHA256=1A580FEF69F3113A8C753E4AD608B22D9AD19B17E1609B0A26CDDB3BBEFE9F94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595510Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:24.587{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D3FF953FFE9DA53762837AA293BA93E,SHA256=59384D596668604FA3FCA7F5068A8F9CF4CE4BE5B81405ABA42F7CA58833AFAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649716Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:25.936{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B357D9825FE1466EFD2938E50404323,SHA256=10FEE4EE06E1D952E4F66A938ABF68D59FEB58D6B083A6B928DA2F4794613B9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649715Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:25.529{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0C8B64CB81AAEC11244F0DD1923C806,SHA256=E8490A2A18D7F1D936C79244FE6487E2A9985D7639021122F3363A90D3CEAE31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595513Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:25.587{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC326EC5667EF2F095AF9AAB53E0B37E,SHA256=2E9EC0E053585D912CC6B46DCC9B3866B30CB6AB478014100703AED6C0B01218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595512Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:25.165{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF7D1EB8D2568754B448B7A4092FC2F7,SHA256=42F1DE87E11B17229501FE4914AB7930063E2C39268B2E0AC7C6A6C8FA15DFF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595511Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:25.165{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F686622CB35EB4693ACD5FB0998B1BDC,SHA256=3ACA030B34B93AF3CB36F34DA881930FDC2445C58FD3074965A631867E3A67B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595515Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:26.602{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B564CE808ED67FC095EAA20B09C957,SHA256=DB9869342F0C0550BB28B5A6A970CFA982546E4D0D44D0A78080B10D9DCCF84E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649717Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:26.764{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=379D3CA8089B8A7914AD54D05AC3F65F,SHA256=6C588054FC8FCBC3F075E570588AA8E1D5288CB2DAC02803BB8F54CBF0191222,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595514Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:22.916{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49775-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595516Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:27.618{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C54ECD680BCFA796F57E8F3B68910AB4,SHA256=4DE0D206939733A066835B8ECC162B697C6768FFAF982D6B288BBB6BD5D311DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649720Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:27.795{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43EDD41A8E992C28FC1EE2D07147E6E5,SHA256=A92385B8018906A4CB19DA2B0169913F4EE7BE73F8AD4F3C5F2A32B6AED5E29D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649719Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:22.645{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49894-false10.0.1.12-8000- 23542300x8000000000000000649718Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:27.217{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60460DFDBFF2F7D2C4220430B3941FAC,SHA256=13415F3258BFBDD28AC2116473439ED513665C9A3049D6C24573CA5811DA432C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649722Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:28.812{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0633AA04E1278580C4B3E09002253126,SHA256=0501D840E5072DB7EA2ACFBE33E094B6C8AA90ED893C9154441574DF51A80867,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000595537Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.790{97C2ED32-DED8-60B8-4F58-00000000C501}2484C:\Windows\System32\Configure-SMRemoting.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000595536Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.790{97C2ED32-772F-60B6-0B00-00000000C501}6285084C:\Windows\system32\lsass.exe{97C2ED32-DED8-60B8-4F58-00000000C501}2484C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595535Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.790{97C2ED32-772F-60B6-0B00-00000000C501}6285084C:\Windows\system32\lsass.exe{97C2ED32-DED8-60B8-4F58-00000000C501}2484C:\Windows\system32\Configure-SMRemoting.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595534Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.774{97C2ED32-7730-60B6-1600-00000000C501}12042840C:\Windows\system32\svchost.exe{97C2ED32-DED8-60B8-4F58-00000000C501}2484C:\Windows\system32\Configure-SMRemoting.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595533Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.774{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-DED8-60B8-4F58-00000000C501}2484C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595532Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.758{97C2ED32-7730-60B6-1600-00000000C501}12042840C:\Windows\system32\svchost.exe{97C2ED32-DED8-60B8-5058-00000000C501}5168C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595531Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.758{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-DED8-60B8-5058-00000000C501}5168C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595530Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.758{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595529Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.758{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595528Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.758{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595527Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.758{97C2ED32-DED8-60B8-5058-00000000C501}51683792C:\Windows\system32\conhost.exe{97C2ED32-DED8-60B8-4F58-00000000C501}2484C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595526Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.758{97C2ED32-9094-60B6-BC06-00000000C501}9441324C:\Windows\system32\csrss.exe{97C2ED32-DED8-60B8-5058-00000000C501}5168C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595525Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.743{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595524Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.743{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595523Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.743{97C2ED32-9094-60B6-BC06-00000000C501}9441004C:\Windows\system32\csrss.exe{97C2ED32-DED8-60B8-4F58-00000000C501}2484C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595522Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.743{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595521Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.743{97C2ED32-772F-60B6-0C00-00000000C501}7244200C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595520Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.743{97C2ED32-9D3E-60B6-7A08-00000000C501}33646096C:\Windows\system32\ServerManager.exe{97C2ED32-DED8-60B8-4F58-00000000C501}2484C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1459ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1454f0|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+fa3761|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58dd95|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+559c06|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+558e46|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+70e8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+c11a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+7ce0 154100x8000000000000000595519Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.746{97C2ED32-DED8-60B8-4F58-00000000C501}2484C:\Windows\System32\Configure-SMRemoting.exe10.0.14393.0 (rs1_release.160715-1616)Configure-SMRemotingMicrosoft® Windows® Operating SystemMicrosoft CorporationConfigure-SMRemoting.EXE"Configure-SMRemoting.exe" -GETC:\Windows\system32\WIN-HOST-236\Administrator{97C2ED32-9095-60B6-4298-3A0000000000}0x3a98422HighMD5=59EF03A3CE316E02EC6C916E86715282,SHA256=E26FE2AD8452293B4B1E957B21371693996941A4D3D2371E7E51A35892C59418,IMPHASH=C13E4B07CF35D56AB40B9BAC4947EC02{97C2ED32-9D3E-60B6-7A08-00000000C501}3364C:\Windows\System32\ServerManager.exe"C:\Windows\system32\ServerManager.exe" 23542300x8000000000000000595518Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.696{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=723CCC480A1FF2C3B5862534D1B82F4F,SHA256=18ED9BB6E403BB0E29D454C33FDF00563D3FE10075E64D6AA154734362C6A5D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595517Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.649{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=729B0E822C4E6F51211B7BDDD7BD257D,SHA256=012CA33405F324B376CC9559CD42F0217307A00F1DFAEFB0BFB18D3830BEF6D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649721Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:28.248{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7296B1956D20E595609E5C9502447A83,SHA256=D8F3059A0294930A0583D63035399277ED1F1BE25E56596E4406DF15611A7FF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595551Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:29.790{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595550Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:29.790{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595549Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:29.790{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595548Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:29.790{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595547Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:29.790{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595546Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:29.790{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595545Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:29.790{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595544Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:29.790{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595543Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:29.790{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000595542Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:29.790{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF7D1EB8D2568754B448B7A4092FC2F7,SHA256=42F1DE87E11B17229501FE4914AB7930063E2C39268B2E0AC7C6A6C8FA15DFF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595541Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:29.790{97C2ED32-772F-60B6-0D00-00000000C501}788716C:\Windows\system32\svchost.exe{97C2ED32-DD70-60B8-1E58-00000000C501}952C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000595540Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:29.758{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=58267FC029525A660CBD7F7DD68DBBA3,SHA256=5754DDA688749EF9BA8124AF320592321CA641196F8F3DF72333123BCA56B724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595539Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:29.758{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1C0ABA980AD3154A9CA1153FF8929F80,SHA256=42D2B3847F90BD4E8A0E1EB5B374BC0DDD73DFA6DB1F4C1772BD1C0D86DD4607,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595538Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:29.649{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EA2276895113DEA553532B8AE4A8A5A,SHA256=3DDAAA45DFEA1896C5B7E04AC31F6DBB4E1CA5263C61A742D30CC54AC3515C78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649724Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:29.843{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CC03DA19AFEB9D52CC390DBAADBAB47,SHA256=8A310D0C9FD5B7BF6B133A692B245E143ECBCEE5842A1C9BAEE36C335BBDA466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649723Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:29.296{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9607DEB07A6981244B94652E8BC36FE,SHA256=B9B81FC4C6ADD7DF96B490C770CBAE079B9D5A6A7E47401B8A0A130515163D06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595554Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:30.665{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27D30B443BD9F5C2009132184B3153F0,SHA256=8BDEA285B360250E6E548DE64BA8E6DCB4CFB8FEAEED24DBD60249701DBF21AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649726Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:30.843{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=110819D769C9F03D54A0D2DA92559253,SHA256=D5116485739DD66C3567AE3DF054B024053BB88C85CD7537D2EA24FC31BC99B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595553Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:27.630{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local49776-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 354300x8000000000000000595552Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:27.630{00000000-0000-0000-0000-000000000000}2484<unknown process>-tcptruetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local49776-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 23542300x8000000000000000649725Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:30.452{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A796C27D7641F734B57841F30F0A4CB8,SHA256=1B4D0164D37D715BCE19AF28A79ED5381FFBD816484AD26F9D51FF0ECDFE05E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595557Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:31.807{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66A6BD7A6F460B77FA60DE24C55B890F,SHA256=7B1F67369069EA073475A5634342BEEA795CEE01B760C50F5B739EFFAEF5DC46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595556Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:31.682{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70808B7DAD8D0A2F53E34276CB8EAE9E,SHA256=715F035C8A9E5468C405D5758A7B622FD7D12E46C9A0EE597910CA74FF5AFA4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595555Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:28.041{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49777-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000649729Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:27.693{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49895-false10.0.1.12-8000- 23542300x8000000000000000649728Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:31.749{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C26E394378E648C786C0FB9D454902C,SHA256=617045491567D144CE9230C0E7345303EB142B177A457D0FB34790072027D6F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649727Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:31.515{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=ECB99CA372BA70F2B06486EB96462DB9,SHA256=2B1E288CF8993ED23B3E11E696376A02C7BEC50D7D6971076D8DAD10CD67FFEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595558Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:32.726{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CBB88E69CE9814DE71B1B81ADA73E83,SHA256=E5CE2DF84A9084D2B1D7A7603F9C325E6E8F603AA9699D1DFCC0DDA8D9751FF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649730Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:32.062{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1549BC4939EC9EFB134B9E38AF36A6AF,SHA256=012BB0547E01640E44B1C303DC577AFCE60596BF51176D1B7FC80E6461B7DFF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595559Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:33.744{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C80753601505F92B23B04FED061920D6,SHA256=B7F5A85077C567300A970B92B0D87F9DB357EAEB4AD46822F3FBD4709521A2C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649732Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:33.218{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EEB81D6DFFA54DCA19C51C27B01CA9C,SHA256=E9896521E9239B95AEFA4E87131C2957850ECF842D4B8444A1128DA8372B3581,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649731Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:33.124{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=341ED64E157C24ED11B701E40E5254D4,SHA256=908084E2EF636B0EFC871DE169C17B4F00CB37D3A7BA3F5E2844186D4DF320B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595560Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:34.744{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F014DFC830DEC7207C3A5E36B22F4A65,SHA256=E00D2A010ED7F2E0D24C777CCAC9E7124F6FAACE831F18D6A11E4FEB3963298D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649734Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:34.249{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D723F1B26BC36C492CB5DB343F290E7,SHA256=3147420D462219911418E959E16CC8C76C8A51AC2C365193775A91670FDDDFFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649733Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:34.249{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9D89B25173630D31DDE1971B37E28C6,SHA256=226F0692F7C22F2B5112D1034E027ACF70D4F9746BBDD623A5AD53DD558B6612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595561Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:35.744{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5387FDD25594C92F844E9A28B40DE661,SHA256=E7AE620A733E8D1E5E78FC48BC445FBFFB6BA1B0AA6B651DEF3236487AED02C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649736Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:35.390{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9821135E7F6FD1D058E1265F8E90B7F9,SHA256=12BDB4160977A7988168873B93B798F3758C4B49E2484ED51A657817899D13C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649735Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:35.265{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CD42AC7D03945855FCFB50376E8EB6B,SHA256=8C04130C58667A99D006FCB39540058A655D3335C6F5DC4009D3E98318DA77A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595564Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:36.757{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=131D0ECC2AD7762DFFDE361E3DC076F6,SHA256=E24E368D4D4E523D9DDAF24541FA035199289F790A32512977F820B10359C9C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649744Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:36.528{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE98A66712C5C32A484F9AC2E91517C4,SHA256=33EB2F3E792A949150A5DDC11060E22F5F0FC56732EC3CF96C6D8DB16EC5C57A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649743Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:36.309{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAF724531BEE25B5C360F7EDC340E073,SHA256=95AD36F043A5DD0CFD80336A0DFF09230EB14A7A22912371652F8BBA8E75FD4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595563Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:33.917{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49778-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595562Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:36.135{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D603042E4D45D0FED1C4BEBFB01CFBA,SHA256=C79BB897656F4FE66005008576623C737C7238358F5EE86001DFBB1F494CFD74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649742Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:36.075{D419E45B-7530-60B6-1600-00000000C401}1268888C:\Windows\System32\svchost.exe{D419E45B-DEE0-60B8-7F4E-00000000C401}3492C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649741Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:36.075{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-DEE0-60B8-7F4E-00000000C401}3492C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649740Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:36.075{D419E45B-752F-60B6-0C00-00000000C401}8485444C:\Windows\system32\svchost.exe{D419E45B-DEE0-60B8-7F4E-00000000C401}3492C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649739Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:36.059{D419E45B-78A0-60B6-AD02-00000000C401}2284924C:\Windows\system32\csrss.exe{D419E45B-DEE0-60B8-7F4E-00000000C401}3492C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649738Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:36.059{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-DEE0-60B8-7F4E-00000000C401}3492C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649737Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:36.059{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-DEE0-60B8-7F4E-00000000C401}3492C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000595565Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:37.773{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1C8A6983FA7B9A445C6CCDF0EDE691E,SHA256=53548BFDB7C5FB985B8F11E49D4C18C0C03D4183ADAA6B944789ABECB9C2E2E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649747Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:37.674{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D533AFEAFA21526513CBE2D71478876,SHA256=57B3BAE5E938A1069CF74E109D41926F41C9DFFCD4D8D6D086D0AE7042E0B272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649746Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:37.314{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98BB58E042D7119356F3D3E6F7A85505,SHA256=599D9DBB54DCCF651E0104332B43655D47DC03BB32E9D403B3A03D154A76A700,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649745Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:32.709{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49896-false10.0.1.12-8000- 23542300x8000000000000000595566Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:38.773{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF3B1EE6130B0D67F3D5F059D61D0CF4,SHA256=2741F9EED9CB8965C177959348A135D0015CCF09DBB669BC7E589662909ABF1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649749Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:38.767{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7543116DF5BBC22E3BE3B23D31B166E2,SHA256=AD3C6A2947C1498AE70B95889BF9CADF6AC23E05E715C0048B2FCE190EDBD040,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649748Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:38.330{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A430105AC1EC2E7EFDC1625BE3D8844,SHA256=98401064B24FBBCE37E314582B83A0FD1FB950D361CD78E8660E3F1C7E640C70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595567Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:39.773{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8D90D20E6787F9CCFE47C8FC94899ED,SHA256=2E90592AAA936E3D33268C766B60BB6F341E997C814B27F101AD008C2B120345,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649754Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:39.345{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F793AFD9B32EA3AA491556389C0814D4,SHA256=57E8ABEC1D60099D2B240CD687312D624F595913E10556C92785215A1411D07F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649753Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:39.267{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2B00-00000000C401}3008C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649752Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:39.267{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2B00-00000000C401}3008C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649751Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:39.267{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2B00-00000000C401}3008C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649750Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:39.267{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2B00-00000000C401}3008C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000595568Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:40.820{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=429BF77951094AC41AF7DE03892D45ED,SHA256=9260B66E621722344B61E5ADE740F59DBA74A66B8F07D92D074F061CEFEDC449,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649757Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localEXE2021-06-03 13:53:40.471{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXEC:\$Recycle.Bin\S-1-5-21-3762655356-77726385-4168110057-500\$I94TWRK.exe2021-06-03 13:53:40.471 23542300x8000000000000000649756Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:40.361{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B25EBF1C463A9AB5F9261CCED786FDB1,SHA256=D7A3D09CC51238CA15FEA92A07F589DC35A07B00185A85FD612FCD65C2ED379F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649755Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:40.033{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6549823A907235892E93B2EFD854CB98,SHA256=EA8594959586F65E8D3DDA08F3D5DFE3E24D06B281FFA82D82AF82356E4DBA6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595569Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:41.851{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C7FEE8C478904B3B76586044CAB041D,SHA256=D4C7B021C53AE88E3F8AF6FAD469C94ED5B260C86D8F00A51ACD455CDD69496C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649765Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:41.627{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B59F042F6A6F201AAEE70BC34F5D4326,SHA256=CFE46764A8B1F0A33163FA4DBC055F26238C6D194E555C8EE0F58453E9A8A823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649764Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:41.361{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E46C9C060A27BA53AE1F6BDB9114FCDB,SHA256=453F8343B09F1FDF06065F8A1E052A982BA4C3F1371D2D63B855A0F8F9701595,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649763Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:41.283{D419E45B-78A4-60B6-BF02-00000000C401}39765096C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649762Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:41.283{D419E45B-78A4-60B6-BF02-00000000C401}39765096C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649761Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:41.283{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649760Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:41.283{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649759Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:41.283{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649758Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:41.283{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000595573Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:42.851{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=077BE2106317D378B87100B4893F9648,SHA256=0D7844018E9EC25E2480A18509040258BB01C7DE917ECAAA1D6DCB124548D47E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649768Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localEXE2021-06-03 13:53:42.939{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\SharpHound.exe2021-06-01 19:37:02.989 23542300x8000000000000000649767Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:42.674{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4308C6CB2D2A41B9912F821203C0669D,SHA256=ED1BAC991D8A9B2DC1BEAF7E962C2BA89B75DC765C50A30672496878E190573E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649766Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:42.408{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B9230D2807DEB0F0E09D58C65F7C7A4,SHA256=B34F58A79FC1B7C6580CCA123DED5EE9CA462B4C99E54E176CC0771087A8E683,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595572Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:39.868{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49779-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595571Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:42.070{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7EEEC4B9B1A444C5C80B2D952EAD1D5,SHA256=7D882D022613322725E252CA469447A8468710F4EE226BF808EFA13A1DBCA81E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595570Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:42.070{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEE264DF364EEB2D583631BAB90420C6,SHA256=566100E718A8B6E2DA7ED2A4137A614C77A1D443E8356FF0FECDE92BB25660C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595574Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:43.898{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F764D0D3E8FCAAEBC863E08675A4352,SHA256=CED14CCD9687FE4E1245B6C9154D502316A2A68AA3B235DDF8E4F1FCF1B6416E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649772Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:43.924{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=018B6B14244801D9EA414A7A60A202BE,SHA256=4B59EF1016BAB307BBF8A084F29000C8A2F730A6561367098578AB1785CCD76C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649771Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:43.424{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6390F98861D2CA25609E711CAD9E269F,SHA256=FE2221B4BAB6D76F4B148E81A288E978FFC79391BE443EAA622311A37DF01431,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649770Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:43.424{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=76AD99E0720FB19C61FC2899BFE68643,SHA256=D60DDF05DA7439622BF69496592AF8B576A4B81B7F6E17E8E683905BD26846D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649769Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:38.633{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49897-false10.0.1.12-8000- 23542300x8000000000000000595575Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:44.961{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA70028B3BC834002D5A8EC4B1F6AB8D,SHA256=F24B022E726B74526C54D02B03858C82B2B77C7AD627BF940CC587CB5ED9FFFE,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000649778Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:40.966{D419E45B-A18D-60B6-EF0A-00000000C401}3200raw.githubusercontent.com0::ffff:185.199.108.133;::ffff:185.199.109.133;::ffff:185.199.110.133;::ffff:185.199.111.133;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x8000000000000000649777Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:40.623{D419E45B-A18D-60B6-EF0A-00000000C401}3200github.com0::ffff:192.30.255.113;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000649776Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:44.439{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A45D4EF34A76C18725552D9C0BBE112,SHA256=DB13AE19600D77F6FA38A86E669CE508B55DEC19C67806E2230A3F49E6C864C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649775Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:40.278{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49899-false185.199.108.133cdn-185-199-108-133.github.com443https 354300x8000000000000000649774Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:39.936{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49898-false192.30.255.113lb-192-30-255-113-sea.github.com443https 354300x8000000000000000649773Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:39.925{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local52417- 23542300x8000000000000000595576Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:45.976{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B1B4F1C14ECE064883BF724D014E115,SHA256=3821520E11CF2060BE967CE0E7045E8D6D17379DBE43097539ADEFBBEA38BB2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649780Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:45.455{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73CA572086AFD10B60D5EFE52DACADBB,SHA256=F8B28D3BFBCE954AFC5D4CE0A0369C2A41CA4C2D9AAFAB546CBA89D7B08B6037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649779Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:45.174{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D808AB550BDEB3F9703994BBE184F961,SHA256=98E7D09EE0592D4BB64A1ED5834518477EF24DED334D6EC8494AA263BBE9DBFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595577Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:46.992{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98B76FFF4E2EAF83AC738B87D97C826E,SHA256=D94EAE7E93B5F876A4A2E99A9B482CF7947CB7339B9C847BE940B42863C36A62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649785Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:46.674{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=224CF914855EDFD244F1E02F0AC98A1B,SHA256=27DFF18C26220F2AD8D9583988125D6622C53E6F918F7ECE78D124F998AFF8B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649784Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:46.674{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B902007D66A77DA1792BBBCBBCB0FA6B,SHA256=7681CADE6D66EB51D6065525B11E30AAF0E73BE0566661A29C3C1342D214F365,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649783Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:46.517{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1500-00000000C401}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649782Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:46.517{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1500-00000000C401}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649781Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:46.517{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1500-00000000C401}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000649788Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:47.814{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E30DDCB258B32727F0B3AF7495E918AD,SHA256=78A1F883D9C8943FEA24AEE2F208C6494C7300F51180284515E86428BD47AAE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595580Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:45.040{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49780-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595579Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:47.226{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E818E1BDFD3B4EE6CFDFC9C3A9649A67,SHA256=11014B93EF766B4280D0529B03033DBA13E4337A52136DC5609C0426B51ACE6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595578Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:47.226{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7EEEC4B9B1A444C5C80B2D952EAD1D5,SHA256=7D882D022613322725E252CA469447A8468710F4EE226BF808EFA13A1DBCA81E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649787Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:47.502{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C13F12310D2BD51D1D241956D0230B34,SHA256=BAE0E25E8063F85854666F044F2B132E237CD7C811BE3FCA19153BD65FC52EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649786Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:47.345{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=998CC743AC0D3764E389F718FF86F5A2,SHA256=FE6599D505CEF793C829D49CFDE977843B6536F408344006224A59C84537A2F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649791Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:48.956{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1502225B8D4295F90574579516FE7138,SHA256=5AAD4403AF6C1A0DC8795A7EB71EB1E02D2746B71D3E882F364E2B07D2724CF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649790Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:48.830{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE18A623D04BD697E11932869D39FC5A,SHA256=F42249425F80049CFF382E76B9B8954407DE11B5123F5A1D7B491E0D83C732CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595584Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:48.289{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1500-00000000C501}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595583Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:48.289{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1500-00000000C501}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595582Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:48.289{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1500-00000000C501}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000595581Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:48.023{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4617EBB1A4EFF04F2218B9A35AC7BF52,SHA256=604ACC0B2283FFBEA9213F587550D1E88214CB4CF008CBBEF9FACDF0D08BC2E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649789Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:43.758{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49910-false10.0.1.12-8000- 23542300x8000000000000000649792Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:49.877{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5CAB44A6BFA0FB5FB3B166F12A00C5B,SHA256=0319EB66AB6E11EA809F7B0D6BAAC8237D00A8F46054F237E29DDBC53951186C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595593Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:49.570{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DEED-60B8-5158-00000000C501}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595592Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:49.570{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595591Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:49.570{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595590Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:49.570{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595589Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:49.570{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595588Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:49.570{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-DEED-60B8-5158-00000000C501}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595587Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:49.570{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DEED-60B8-5158-00000000C501}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595586Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:49.571{97C2ED32-DEED-60B8-5158-00000000C501}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595585Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:49.070{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2049C26A3322A47334A87C76267D4966,SHA256=BFF268374460A799EAC4E32AE38DB7C6B3E636CDED3038D8294C371641A4C5F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649793Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:50.033{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBB59DF6C05F7EDC0B3C44734E0309BB,SHA256=AE1318E5251E46E2F17676FCB6B52C20D6BE423FC0E77C937007AD3A56162DB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595612Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.820{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DEEE-60B8-5358-00000000C501}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595611Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.820{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595610Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.820{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595609Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.820{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595608Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.820{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595607Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.820{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-DEEE-60B8-5358-00000000C501}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595606Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.820{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DEEE-60B8-5358-00000000C501}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595605Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.821{97C2ED32-DEEE-60B8-5358-00000000C501}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595604Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.586{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E818E1BDFD3B4EE6CFDFC9C3A9649A67,SHA256=11014B93EF766B4280D0529B03033DBA13E4337A52136DC5609C0426B51ACE6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595603Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.351{97C2ED32-DEEE-60B8-5258-00000000C501}40325276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595602Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.226{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DEEE-60B8-5258-00000000C501}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595601Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.210{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-DEEE-60B8-5258-00000000C501}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595600Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.195{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DEEE-60B8-5258-00000000C501}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595599Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.195{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595598Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.195{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595597Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.195{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595596Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.195{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595595Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.196{97C2ED32-DEEE-60B8-5258-00000000C501}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595594Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.070{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EBB08C21AD7361475263665934C40CC,SHA256=AA2C08974DCCC370B0106C8DFDE0CEFB75287D5752C9B6E9FF2B39746D509377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649795Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:51.142{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=396A7AC154836A7E8AE2ADCBACCF3B9B,SHA256=AD08F75E3E7ED087B3ADBB92B6ECE75EF64D029CEF5A69865CD32304BA17E748,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649794Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:51.095{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF27BCC6EBC92C084D4C4B79415A0E45,SHA256=92F3E99BCDF33EF44A29E7FB53DD079FAF2A90C371AE2FD11D7F84F82E36CB80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595622Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:51.851{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77CCF3B1AC2374BCFD61A34B7D37927B,SHA256=8D7950670DABB23A3F683B3778843EC08057BD91451674417755C6D8028BD6B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595621Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:51.492{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DEEF-60B8-5458-00000000C501}5792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595620Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:51.492{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595619Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:51.492{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595618Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:51.492{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595617Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:51.492{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595616Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:51.492{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-DEEF-60B8-5458-00000000C501}5792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595615Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:51.492{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DEEF-60B8-5458-00000000C501}5792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595614Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:51.492{97C2ED32-DEEF-60B8-5458-00000000C501}5792C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595613Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:51.101{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B289982250A305BFA99AB579092FDB9,SHA256=3FD3A933AD8ABD640415D881AFBA55189342DEFB19F2439390F4D382A41E34B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649813Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.908{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649812Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.845{D419E45B-78A0-60B6-AD02-00000000C401}2284924C:\Windows\system32\csrss.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649811Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.845{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649810Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.845{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649809Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.845{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649808Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.845{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649807Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.845{D419E45B-DEF0-60B8-804E-00000000C401}47602112C:\Windows\system32\cmd.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649806Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.849{D419E45B-DEF0-60B8-814E-00000000C401}1084C:\Temp\SharpHound.exe3.0.0.0SharpHoundSharpHound-SharpHound.exec:\temp\sharphound.exe --CollectionMethod allC:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=63D22AE0568B760B5E3AABB915313E44,SHA256=61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{D419E45B-DEF0-60B8-804E-00000000C401}4760C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c c:\temp\sharphound.exe --CollectionMethod all 10341000x8000000000000000649805Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.845{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DEF0-60B8-804E-00000000C401}4760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649804Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.830{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649803Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.830{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649802Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.830{D419E45B-78A0-60B6-AD02-00000000C401}22841824C:\Windows\system32\csrss.exe{D419E45B-DEF0-60B8-804E-00000000C401}4760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649801Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.830{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649800Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.830{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649799Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.830{D419E45B-A18D-60B6-EF0A-00000000C401}32001160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-DEF0-60B8-804E-00000000C401}4760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11de81a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1121804c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1127babe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125d95e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1124e67e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125bbc0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b732(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11240385(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1123f8f7(wow64) 154100x8000000000000000649798Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.828{D419E45B-DEF0-60B8-804E-00000000C401}4760C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c c:\temp\sharphound.exe --CollectionMethod allC:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000649797Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.236{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31611E7F5C0F5684DA336A69360A61A2,SHA256=638530F9D0D6ED98A523BEA7E7AE44E20657F21B40B1C19F41183225DFD29FE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649796Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.095{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=769996E144140B17A7563F2F5E047923,SHA256=9D9C20E747BE4ADDDD47036B2280E82BFC8E9BD12B25A91D2001C532288482AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595641Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.960{97C2ED32-DEF0-60B8-5658-00000000C501}47402108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595640Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.836{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DEF0-60B8-5658-00000000C501}4740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595639Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.836{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595638Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.836{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595637Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.836{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595636Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.836{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595635Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.836{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-DEF0-60B8-5658-00000000C501}4740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595634Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.836{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DEF0-60B8-5658-00000000C501}4740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595633Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.836{97C2ED32-DEF0-60B8-5658-00000000C501}4740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000595632Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.289{97C2ED32-DEF0-60B8-5558-00000000C501}46165144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595631Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.164{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DEF0-60B8-5558-00000000C501}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595630Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.164{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595629Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.164{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595628Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.164{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595627Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.164{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595626Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.164{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-DEF0-60B8-5558-00000000C501}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595625Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.164{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DEF0-60B8-5558-00000000C501}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595624Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.164{97C2ED32-DEF0-60B8-5558-00000000C501}4616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595623Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:52.101{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43A1BD541035E64E6CFB22A196F18007,SHA256=FBA7D811490D4CFC87EDE82E0F363EAC6844A1BFE44FBC965D9A83BB537F03EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595653Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:50.899{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49781-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000595652Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:53.632{97C2ED32-DEF1-60B8-5758-00000000C501}56963140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595651Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:53.492{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DEF1-60B8-5758-00000000C501}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595650Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:53.492{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595649Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:53.492{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595648Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:53.492{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595647Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:53.492{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595646Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:53.492{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-DEF1-60B8-5758-00000000C501}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595645Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:53.492{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DEF1-60B8-5758-00000000C501}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595644Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:53.494{97C2ED32-DEF1-60B8-5758-00000000C501}5696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595643Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:53.117{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=859E4DFCC7EFE0D2564A81B27B8AA3DD,SHA256=FF88F69AE7EAB9607C727EBAAFE45EC7A2884F370A991613FFBAE1679FA7040B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595642Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:53.101{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAF2D0728003F7F3176643D771731068,SHA256=EA0D03FFE182EE7EA5F91D22253C2096B9EA92942C8D575D1E96249D2FF9F8AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649828Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:53.861{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C8DBD3FCD18B2C74AF8A40C1F5ED53CE,SHA256=BAEA2A9C95EE66796A319AF8B2991CA167F024FFC315BC78B5BF5CC3DDFB5541,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000649827Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:53.736{D419E45B-DEF0-60B8-814E-00000000C401}1084C:\Temp\SharpHound.exeC:\Windows\SysWOW64\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=B7E2FC98A721415DE1B2A77D9A7B95ED,SHA256=CA6EE939BAD0EF32A1A62D1EA6D7D29006889FF6C4626650F9CD38FD6C27B87D,IMPHASH=F041BC2D00F8EE54536427C63882D791trueMicrosoft WindowsValid 10341000x8000000000000000649826Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:53.736{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649825Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:53.736{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649824Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:53.736{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649823Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:53.736{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649822Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:53.736{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649821Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:53.736{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649820Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:53.705{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649819Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:53.705{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649818Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:53.705{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649817Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:53.674{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649816Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:53.674{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000649815Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:53.517{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24ED6F0EFA4B5C48E302138C84BDDB57,SHA256=D46421AEFC0DC30FE19B7E44490B1315513BEB1675EA9AA4CBE5B8494EC4FC7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649814Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:53.127{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55E1B05EC8E2D9BEBF796DDA9795B90B,SHA256=12B97E85DD201A884B4F2C9F84E96A3A0A5466F39B2DAC8509AB1B9DF0DB60A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595655Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:54.539{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7359B4758DA65A817F39A99405F869AC,SHA256=4955FC2EDB7A20481A4C9CB041FEA97F949ED6C905D10C85D4ABD14D0BE61249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595654Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:54.132{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A50E5DDD43E09CE225901565BC511959,SHA256=83A9B9208F24B288AF9DBCE1B6D57014C4B5D1F5C1DCD508370CF059EEABACA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649866Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.861{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=621707C55D6927CA68C3837AED424E06,SHA256=F7645BA1F14225034ED12CF2E5E7475F06C7FF4EE8DCC2391659D0ABEB2583DD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649865Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:54.736{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exeC:\Temp\ZDQxOWU0NWItZWU4My00NDAxLTg1YzktNzNmMzNmMTc0MTRi.bin2021-06-01 18:15:53.751 23542300x8000000000000000649864Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.736{D419E45B-DEF0-60B8-814E-00000000C401}1084ATTACKRANGE\Administratorc:\temp\SharpHound.exeC:\Temp\ZDQxOWU0NWItZWU4My00NDAxLTg1YzktNzNmMzNmMTc0MTRi.binMD5=8587E3632B61451FF6EAE643AE6A3294,SHA256=EB31C6EB0B40050881C3EF1B243774ED34957BF95AFD98F6F09767A2505BDFC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649863Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.720{D419E45B-DEF0-60B8-814E-00000000C401}1084ATTACKRANGE\Administratorc:\temp\SharpHound.exeC:\Temp\20210603135353_computers.jsonMD5=BC6D79EF4F469420EE4F76EEE7183FDA,SHA256=539A89CCB4A769A572593D28F7E62EF24C3A82AE53EC4440034D41D9DFE17690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649862Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.720{D419E45B-DEF0-60B8-814E-00000000C401}1084ATTACKRANGE\Administratorc:\temp\SharpHound.exeC:\Temp\20210603135353_domains.jsonMD5=7A427216FBAAD1AB6641EA318B845AA1,SHA256=760C0B1D64FCC7B229DBDF88760CE9C5946D3AECA6A755A0C06F9E3ED22985CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649861Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.720{D419E45B-DEF0-60B8-814E-00000000C401}1084ATTACKRANGE\Administratorc:\temp\SharpHound.exeC:\Temp\20210603135353_ous.jsonMD5=1B470A6B21DC8CF7E99B5A250F76A852,SHA256=DF466F78B20C0737EB9A9F42CD09D7857F9BCCAC9B02ACE555E31A4D2B3436DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649860Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.720{D419E45B-DEF0-60B8-814E-00000000C401}1084ATTACKRANGE\Administratorc:\temp\SharpHound.exeC:\Temp\20210603135353_users.jsonMD5=7797A36FAC4DA6BAE3B36D8D45AC7493,SHA256=7888A47D021E069D98BBEEEF8BE70D910CE9980D130DCEC0923710C588CA1F0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649859Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.720{D419E45B-DEF0-60B8-814E-00000000C401}1084ATTACKRANGE\Administratorc:\temp\SharpHound.exeC:\Temp\20210603135353_gpos.jsonMD5=DCB570C80F70EAC0F6A8803BF8F48F7F,SHA256=C57F8C8470A8B1832A69F537DC41F66B22B6EB03D2CFF0E8AD53EEE1E4BA0F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649858Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.720{D419E45B-DEF0-60B8-814E-00000000C401}1084ATTACKRANGE\Administratorc:\temp\SharpHound.exeC:\Temp\20210603135353_groups.jsonMD5=65CA7A88725EFED6C7E7A257BBE2CA5D,SHA256=8EB4E54312A01786ED7D56BAD602660DABDEF2367193B959A44198D30917E7CD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649857Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:54.689{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exeC:\Temp\20210603135353_BloodHound.zip2021-06-03 13:53:54.689 22542200x8000000000000000649856Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.791{D419E45B-DEF0-60B8-814E-00000000C401}1084win-dc-233.attackrange.local0fe80::8a7:5018:d121:bd39;::ffff:10.0.1.14;c:\temp\SharpHound.exe 10341000x8000000000000000649855Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.689{D419E45B-753F-60B6-2C00-00000000C401}30206308C:\Windows\sysmon64.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x8000000000000000649854Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.791{D419E45B-DEF0-60B8-814E-00000000C401}1084win-dc-233.attackrange.local0fe80::8a7:5018:d121:bd39;::ffff:10.0.1.14;c:\temp\SharpHound.exe 10341000x8000000000000000649853Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.689{D419E45B-753F-60B6-2C00-00000000C401}30206308C:\Windows\sysmon64.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x8000000000000000649852Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.791{D419E45B-DEF0-60B8-814E-00000000C401}1084win-dc-233.attackrange.local0fe80::8a7:5018:d121:bd39;::ffff:10.0.1.14;c:\temp\SharpHound.exe 10341000x8000000000000000649851Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.689{D419E45B-753F-60B6-2C00-00000000C401}30206308C:\Windows\sysmon64.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649850Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.689{D419E45B-753F-60B6-2C00-00000000C401}30206308C:\Windows\sysmon64.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x8000000000000000649849Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.035{D419E45B-DEF0-60B8-814E-00000000C401}1084win-dc-233.attackrange.local0fe80::8a7:5018:d121:bd39;::ffff:10.0.1.14;c:\temp\SharpHound.exe 22542200x8000000000000000649848Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:51.947{D419E45B-DEF0-60B8-814E-00000000C401}1084win-dc-233.attackrange.local0fe80::8a7:5018:d121:bd39;::ffff:10.0.1.14;c:\temp\SharpHound.exe 10341000x8000000000000000649847Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.689{D419E45B-753F-60B6-2C00-00000000C401}30206308C:\Windows\sysmon64.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000649846Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:54.674{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exeC:\Temp\20210603135353_computers.json2021-06-03 13:53:54.658 11241100x8000000000000000649845Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:54.658{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exeC:\Temp\20210603135353_domains.json2021-06-03 13:53:54.658 11241100x8000000000000000649844Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:54.658{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exeC:\Temp\20210603135353_ous.json2021-06-03 13:53:54.658 11241100x8000000000000000649843Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:54.658{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exeC:\Temp\20210603135353_users.json2021-06-03 13:53:54.658 11241100x8000000000000000649842Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:54.658{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exeC:\Temp\20210603135353_gpos.json2021-06-03 13:53:54.658 10341000x8000000000000000649841Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.627{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649840Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.627{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649839Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.627{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649838Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.627{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649837Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.627{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000649836Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.627{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000649835Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.627{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000649834Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.627{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000649833Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.627{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649832Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.627{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000649831Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:54.595{D419E45B-DEF0-60B8-814E-00000000C401}1084c:\temp\SharpHound.exeC:\Temp\20210603135353_groups.json2021-06-03 13:53:54.595 354300x8000000000000000649830Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:49.742{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49911-false10.0.1.12-8000- 23542300x8000000000000000649829Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:54.158{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60BC20427A10D2184C5409D67E906143,SHA256=783C0AE87A12E7D1C20E6634C083481248332E8B862858917D3BA04764CDF22D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649904Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:55.971{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DEE8326FA4532FD5A38E954E92540D2,SHA256=B40CD093E44A8BD04E32513EC986B84F28AB331E21F756D3A9E6CB4F08D19436,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649903Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.167{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49930-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649902Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.167{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49930-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649901Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.163{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49929-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649900Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.163{00000000-0000-0000-0000-000000000000}1084<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49929-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649899Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.155{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49928-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649898Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.154{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49927-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649897Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.154{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49926-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649896Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.149{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49925-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649895Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.140{00000000-0000-0000-0000-000000000000}1084<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49924-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649894Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.140{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49923-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649893Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.140{00000000-0000-0000-0000-000000000000}1084<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49923-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 23542300x8000000000000000649892Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:55.799{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=71230FE7554BD30C28A4A92FD44CBF9F,SHA256=A1EDBD572E91BAA4841056AC944532545EB88198ECB14456055038F088AC76D1,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000649891Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.836{00000000-0000-0000-0000-000000000000}1084WIN-HOST-236.ATTACKRANGE.LOCAL0::ffff:10.0.1.15;<unknown process> 22542200x8000000000000000649890Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.792{00000000-0000-0000-0000-000000000000}1084win-dc-233.attackrange.local0fe80::8a7:5018:d121:bd39;::ffff:10.0.1.14;<unknown process> 354300x8000000000000000649889Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.098{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49922-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649888Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.098{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49921-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649887Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.098{00000000-0000-0000-0000-000000000000}1084<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49922-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649886Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.098{00000000-0000-0000-0000-000000000000}1084<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49921-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649885Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.097{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49920-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649884Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.097{00000000-0000-0000-0000-000000000000}1084<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49920-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649883Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.096{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49919-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649882Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.096{00000000-0000-0000-0000-000000000000}1084<unknown process>-udptruefalse127.0.0.1-52418-false127.0.0.1-52418- 354300x8000000000000000649881Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.096{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49918-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649880Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.096{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49917-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649879Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.096{00000000-0000-0000-0000-000000000000}1084<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49917-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649878Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.095{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49916-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649877Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.095{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49915-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649876Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.095{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49914-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649875Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.095{00000000-0000-0000-0000-000000000000}1084<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49915-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649874Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.095{00000000-0000-0000-0000-000000000000}1084<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49914-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649873Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:51.339{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49913-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649872Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:51.339{00000000-0000-0000-0000-000000000000}1084<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49913-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649871Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:51.241{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49912-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649870Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:51.241{00000000-0000-0000-0000-000000000000}1084<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49912-false10.0.1.14win-dc-233.attackrange.local389ldap 23542300x8000000000000000649869Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:55.345{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF73824779311CCCB4C9E97DE5A8D22F,SHA256=59F4FC9D48B3E29FBAFAA20B1CEC5B5AC40F9A23B2254EEE12C8C5032807AB53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649868Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:55.283{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23FA1A7C640C0D800FD0B28550EDB0B0,SHA256=24C1539C0D4033E45E9C7E2677EBC0CB0E1323BBD777B5479512B51FFC99B7C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649867Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:55.221{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0679C1DE653159E3906EE484D78CD685,SHA256=89B8B8FBE7996FA076F21C32E0EDDDE4B4E63E6427C21CB548345A738F665224,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595658Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:53.443{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49924-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 23542300x8000000000000000595657Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:55.601{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66AA61AA67849658468467762ACAE777,SHA256=BCA34BF619A8519B7701A05794E51DD631193A764466A5619D32DFB9993C74B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595656Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:55.164{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE83475BC7F4E7DD08CBB686D36F1A74,SHA256=8C0E4A2D1943E28F792833DE6A783E84C13307017F4AE7AFD543E498F53DB3C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649909Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:56.392{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F644B61A69E89BA94336FD0A5583242,SHA256=7747F2EB9A23C23D4C397BC4564B7E7558174AEC03061AAFAF68A161C240BAEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649908Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.096{00000000-0000-0000-0000-000000000000}1084<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49919-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649907Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.096{00000000-0000-0000-0000-000000000000}1084<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49918-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649906Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:52.095{00000000-0000-0000-0000-000000000000}1084<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49916-false10.0.1.14win-dc-233.attackrange.local389ldap 23542300x8000000000000000649905Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:56.330{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3735E0E51092868FCAE36C7469EF1EB,SHA256=6CF4018AF1287715C26B745BCBA2A9F4FC5A13F6F738640904E4A17B16101B9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595663Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:53.458{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49928-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595662Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:53.457{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49927-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595661Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:53.456{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49926-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595660Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:53.452{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49925-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 23542300x8000000000000000595659Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:56.179{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE7B869EC7BB739B018C5622FC5800F9,SHA256=14E22894E194B94D394A19B8B509E15C216F7DA6BB7437E0447D75A8959E5609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649911Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.517{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=460C760B62FE70D0D55978940FC63817,SHA256=07BAEBAD3440A19C4B9E388C5D2D3AD384CADA1DA1DBCA550B130B182B68B6E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649910Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.517{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4CD54D94B81A06C5EC7FB0C4D90D217,SHA256=0429DC16D073CD5BDF545531C5E0586197575E956485E788DE4968F1A8C3863E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595665Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:57.293{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595664Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:57.183{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D21606D46B681933E3AC4F7ABB10663,SHA256=563070C643D6A44C24B918BEF6700191619294764DBA9724AB917FB9DDE3FEE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649929Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.985{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649928Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.970{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649927Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.970{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649926Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.970{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649925Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.970{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649924Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.970{D419E45B-78A0-60B6-AD02-00000000C401}22846252C:\Windows\system32\csrss.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649923Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.970{D419E45B-DEF6-60B8-824E-00000000C401}53446396C:\Windows\system32\cmd.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000649922Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.980{D419E45B-DEF6-60B8-834E-00000000C401}6968C:\Temp\SharpHound.exe3.0.0.0SharpHoundSharpHound-SharpHound.exec:\temp\sharphound.exe -c allC:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=63D22AE0568B760B5E3AABB915313E44,SHA256=61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{D419E45B-DEF6-60B8-824E-00000000C401}5344C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c c:\temp\sharphound.exe -c all 10341000x8000000000000000649921Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.970{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DEF6-60B8-824E-00000000C401}5344C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649920Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.970{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649919Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.970{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649918Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.970{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649917Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.970{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649916Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.970{D419E45B-78A0-60B6-AD02-00000000C401}2284924C:\Windows\system32\csrss.exe{D419E45B-DEF6-60B8-824E-00000000C401}5344C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000649915Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.970{D419E45B-A18D-60B6-EF0A-00000000C401}32001160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-DEF6-60B8-824E-00000000C401}5344C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11de81a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1121804c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1127babe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125d95e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1124e67e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125bbc0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b732(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11240385(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1123f8f7(wow64) 154100x8000000000000000649914Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.962{D419E45B-DEF6-60B8-824E-00000000C401}5344C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c c:\temp\sharphound.exe -c allC:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000649913Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.657{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92B36974C06837A477B3D393BF8F21B0,SHA256=8A6376679CEFFA2591D8B545AEF0D7C39AFC2C05884C7470CA9E6DEFFD3765A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649912Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:58.532{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED2A794D9189CE8E2F14FF2449043059,SHA256=B274AAC6D19B64A7A8A70B2CA18F2B14C22B1B5BA12A366D81B44B8F8A5DC47E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595667Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:58.293{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E70C18B386AECB73C8F11AC46DE48951,SHA256=E95B54B649316F0A6F5FBC2D8713B7D3B4447B3690E8343115305B0DF0BCE4AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595666Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:58.183{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DF80B8BF41618622865894ED2F7B925,SHA256=02C5D4D6E39F2660FCB83048943602C62FF8DFA1E053A4BEF8A707B2370E964A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649963Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:59.814{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exeC:\Temp\ZDQxOWU0NWItZWU4My00NDAxLTg1YzktNzNmMzNmMTc0MTRi.bin2021-06-01 18:15:53.751 23542300x8000000000000000649962Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.814{D419E45B-DEF6-60B8-834E-00000000C401}6968ATTACKRANGE\Administratorc:\temp\SharpHound.exeC:\Temp\ZDQxOWU0NWItZWU4My00NDAxLTg1YzktNzNmMzNmMTc0MTRi.binMD5=0D30DFB54488D59E2B5B93E04E43134C,SHA256=C0A9ADC14C4C1D34A5502CA9D21C4DE4CF6366C1BD92D0B295E66AECEB068969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649961Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.798{D419E45B-DEF6-60B8-834E-00000000C401}6968ATTACKRANGE\Administratorc:\temp\SharpHound.exeC:\Temp\20210603135359_computers.jsonMD5=BC6D79EF4F469420EE4F76EEE7183FDA,SHA256=539A89CCB4A769A572593D28F7E62EF24C3A82AE53EC4440034D41D9DFE17690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649960Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.798{D419E45B-DEF6-60B8-834E-00000000C401}6968ATTACKRANGE\Administratorc:\temp\SharpHound.exeC:\Temp\20210603135359_domains.jsonMD5=7A427216FBAAD1AB6641EA318B845AA1,SHA256=760C0B1D64FCC7B229DBDF88760CE9C5946D3AECA6A755A0C06F9E3ED22985CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649959Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.798{D419E45B-DEF6-60B8-834E-00000000C401}6968ATTACKRANGE\Administratorc:\temp\SharpHound.exeC:\Temp\20210603135359_ous.jsonMD5=1B470A6B21DC8CF7E99B5A250F76A852,SHA256=DF466F78B20C0737EB9A9F42CD09D7857F9BCCAC9B02ACE555E31A4D2B3436DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649958Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.798{D419E45B-DEF6-60B8-834E-00000000C401}6968ATTACKRANGE\Administratorc:\temp\SharpHound.exeC:\Temp\20210603135359_users.jsonMD5=3E9BF373CFDF495E48CB3AF1A6845963,SHA256=60E6A1128967EE05C94EA16086FBF591FF2E4EB08005D5ACBBE1B4AE051B4B2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649957Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.798{D419E45B-DEF6-60B8-834E-00000000C401}6968ATTACKRANGE\Administratorc:\temp\SharpHound.exeC:\Temp\20210603135359_gpos.jsonMD5=DCB570C80F70EAC0F6A8803BF8F48F7F,SHA256=C57F8C8470A8B1832A69F537DC41F66B22B6EB03D2CFF0E8AD53EEE1E4BA0F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649956Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.782{D419E45B-DEF6-60B8-834E-00000000C401}6968ATTACKRANGE\Administratorc:\temp\SharpHound.exeC:\Temp\20210603135359_groups.jsonMD5=1B97C2394DE6069C7735509577B0BFFD,SHA256=0E010B488DA453E57144D0959FE672A3F8F384D9D796BF7AA43C8688A2685B13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649955Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.782{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D06B11B9DB9183154CD524479082A73,SHA256=C3257BD17A70E17D2F76D87886C923F0875D531D70C775734272A108017F54A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649954Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.782{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6EEFF8F725107B7DE5FD2941EF0CA18,SHA256=78DB990EE7EAB6DD27FE4D59C3A9BB1FCBCFA6990C88DEC593B4A9F804A5D033,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000649953Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:59.767{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exeC:\Temp\20210603135359_BloodHound.zip2021-06-03 13:53:59.767 11241100x8000000000000000649952Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:59.735{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exeC:\Temp\20210603135359_computers.json2021-06-03 13:53:59.735 11241100x8000000000000000649951Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:59.735{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exeC:\Temp\20210603135359_domains.json2021-06-03 13:53:59.735 11241100x8000000000000000649950Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:59.720{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exeC:\Temp\20210603135359_ous.json2021-06-03 13:53:59.720 11241100x8000000000000000649949Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:59.720{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exeC:\Temp\20210603135359_users.json2021-06-03 13:53:59.720 11241100x8000000000000000649948Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:59.720{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exeC:\Temp\20210603135359_gpos.json2021-06-03 13:53:59.720 10341000x8000000000000000649947Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.720{D419E45B-752D-60B6-0B00-00000000C401}6326060C:\Windows\system32\lsass.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649946Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.720{D419E45B-752D-60B6-0B00-00000000C401}6326060C:\Windows\system32\lsass.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649945Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.720{D419E45B-752D-60B6-0B00-00000000C401}6326060C:\Windows\system32\lsass.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649944Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.720{D419E45B-752D-60B6-0B00-00000000C401}6326060C:\Windows\system32\lsass.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000649943Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:55.679{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49931-false10.0.1.12-8000- 11241100x8000000000000000649942Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:53:59.673{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exeC:\Temp\20210603135359_groups.json2021-06-03 13:53:59.673 354300x8000000000000000595670Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:56.888{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49783-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000595669Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:56.107{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49782-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000595668Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:59.199{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03394D555B2BE7AD267A131D504B5FBA,SHA256=8017FD5DBE8693E6CD2AD5AE5781388052D2EE95E8BFD1DAF1972B3343CB1C12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000649941Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.189{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649940Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.189{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649939Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.189{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649938Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.189{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649937Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.189{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649936Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.189{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000649935Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.173{D419E45B-DEF6-60B8-834E-00000000C401}6968C:\Temp\SharpHound.exeC:\Windows\SysWOW64\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=B7E2FC98A721415DE1B2A77D9A7B95ED,SHA256=CA6EE939BAD0EF32A1A62D1EA6D7D29006889FF6C4626650F9CD38FD6C27B87D,IMPHASH=F041BC2D00F8EE54536427C63882D791trueMicrosoft WindowsValid 10341000x8000000000000000649934Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.173{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649933Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.173{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649932Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.158{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649931Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.158{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000649930Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:59.158{D419E45B-752D-60B6-0B00-00000000C401}6325016C:\Windows\system32\lsass.exe{D419E45B-DEF6-60B8-834E-00000000C401}6968c:\temp\SharpHound.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000649988Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:00.767{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BCE5FA9891CDDA93E8C0819187665BB,SHA256=AEC4C12600FDF572438A30E70BB2C45B299DB57EF47BDC880CC7EC1F5EF25662,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649987Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:00.767{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49741B85069759EF8AA4AC1DAB103636,SHA256=FA588C4DC57A3DDD7EA76B3C8B6CB0F5719827B2F7BA794D0EDA7CF131D6F300,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649986Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.176{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49942-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649985Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.176{00000000-0000-0000-0000-000000000000}6968<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49942-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649984Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.176{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49941-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649983Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.175{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49940-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649982Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.175{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49939-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649981Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.175{00000000-0000-0000-0000-000000000000}6968<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49939-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649980Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.175{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49938-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649979Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.175{00000000-0000-0000-0000-000000000000}6968<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49938-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649978Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.173{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49936-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649977Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.173{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49937-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649976Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.173{00000000-0000-0000-0000-000000000000}6968<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49936-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649975Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.173{00000000-0000-0000-0000-000000000000}6968<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49937-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649974Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.172{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49935-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649973Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.172{00000000-0000-0000-0000-000000000000}6968<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49935-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649972Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.172{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49934-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649971Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.172{00000000-0000-0000-0000-000000000000}6968<unknown process>-udptruefalse127.0.0.1-52419-false127.0.0.1-52419- 354300x8000000000000000649970Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:56.721{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49933-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649969Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:56.720{00000000-0000-0000-0000-000000000000}6968<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49933-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649968Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:56.700{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49932-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649967Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:56.700{00000000-0000-0000-0000-000000000000}6968<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49932-false10.0.1.14win-dc-233.attackrange.local389ldap 23542300x8000000000000000595672Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:00.683{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46EAB8EBEC91CE572CFE85D209CFE115,SHA256=869FF1EECBBD0987C9A20D43F54A5D1A6E03CA53BA4E8B3C1C940491606FC736,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595671Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:00.215{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A29644F7396DDA7FE049CEB5213909BF,SHA256=20CD1AFC019D561BE8B02ACC8A293F9ECF5CCED2C69E3520B71EF08E013D67D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000649966Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:00.251{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000649965Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.398{00000000-0000-0000-0000-000000000000}6968win-dc-233.attackrange.local0fe80::8a7:5018:d121:bd39;::ffff:10.0.1.14;<unknown process> 23542300x8000000000000000649964Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:00.001{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=47DBF9BEC62AEE32447881BE616CA701,SHA256=9C93CCABD187F802A60CD002BAB19CCFA801B76A8027547A2989824E049F2641,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650000Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:01.907{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C01C3B4F56D1DF73C95FE977826D08CB,SHA256=188AF05850163778FC1766F6E95A102DEB8D53FAB02F9BDCD40E0794FDA54C5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649999Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.221{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49946-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649998Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.221{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49945-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649997Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.221{00000000-0000-0000-0000-000000000000}6968<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49945-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649996Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.204{00000000-0000-0000-0000-000000000000}6968<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49944-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000649995Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.204{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49943-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000649994Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.204{00000000-0000-0000-0000-000000000000}6968<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49943-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 23542300x8000000000000000649993Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:01.782{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBBB14B7DC468B6D0D8C9A3A1489D3BC,SHA256=E5874D646BAD6E4DB19796BF50C6B6D99AC431DF461B1134200C9616C287F0CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595675Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:01.902{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1412EC00CA288694710DBFA5D9CC1C74,SHA256=E12BF2902B53385CC8421F63E226809C91D41580E3D34816E821AE2D91B8B3F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595674Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:53:58.507{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49944-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 23542300x8000000000000000595673Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:01.215{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F29D1C5F5DC6EC12B1935007E9D72320,SHA256=5B8029DCA6D33D60C075BB99204F52F6AC75F78DD7E9A79467A78C982AAE1394,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000649992Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.176{00000000-0000-0000-0000-000000000000}6968<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49941-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649991Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.175{00000000-0000-0000-0000-000000000000}6968<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49940-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000649990Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.172{00000000-0000-0000-0000-000000000000}6968<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49934-false10.0.1.14win-dc-233.attackrange.local389ldap 22542200x8000000000000000649989Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.899{00000000-0000-0000-0000-000000000000}6968WIN-HOST-236.ATTACKRANGE.LOCAL0::ffff:10.0.1.15;<unknown process> 23542300x8000000000000000650003Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:02.814{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5F923B4A1D4DE39F4B85706A2A0B9E1,SHA256=F4F17785123BC96BDABE068EFC7FB281704878C402F720F81741C775ADBAC949,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650002Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.757{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49947-false10.0.1.12-8089- 23542300x8000000000000000595676Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:02.230{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FFB09EE46FFAA08FA454BC81F241FAA,SHA256=CDF8CE5A127467A11BF990229D562E6E006725560C65FC1C98DA7CEE5B3A4091,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650001Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:53:57.221{00000000-0000-0000-0000-000000000000}6968<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49946-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 23542300x8000000000000000650005Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:03.845{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C979C92AACFBF498B81E447CE6FD8E6F,SHA256=5F299B26F186569F4C2554849BA30520604D82224C9A16D562815593FCA3E693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595677Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:03.246{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A24BEBDD6CB1C4F16B8A9030EF85B9E6,SHA256=31106AECDB4AC42984C44444976EA6CA70CDD58E7B1FA6CF1DF78286C4370622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650004Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:03.048{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BDDEDEF0119189770D2EED3F32294FD,SHA256=68FCC5C3B6B53A7A13C56C192DA72830C6E647C957EF8B47D0C27269D05FAF0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650008Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:00.741{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49948-false10.0.1.12-8000- 23542300x8000000000000000650007Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:04.860{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF16BF4E0FF2B3777BDF97A7957532AE,SHA256=8F3EC8D8298F947555B550E83001DEBC41FB67B24B01C32E927163232618CC0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595679Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:04.277{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59B9B5C92B00E03611DB47930CEF4BBF,SHA256=DB7A9A3EF364CB9BB96EC5106DEC3C62DFC1A177A055B9980E98F7C8FD6EB909,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650006Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:04.189{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FCF0159D53FF8DD7237567979BAB5784,SHA256=59700530A9560B6A2B7645E92DE9EAD991BBB0A5C1AF588F0A469183B6EFB3FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595678Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:04.168{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CD9573F082139D05AE1039080D30687,SHA256=092D4893863C82777DF1E1A27A7393156F868D5E827B18728F9BE3FA366F850E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650013Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:01.570{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local49949-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000650012Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:01.570{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local49949-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000650011Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:05.876{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78B388847436CC81ED73E302B1E713D2,SHA256=0E445C60BEF8E6C059DE2A4252DD1CE9E28C1E073D69BF0C5083173E1775ABE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595681Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:05.324{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E5DC49A4EDC1D329D22DFE9B488B414,SHA256=3A4FF81CBB134F189DE62DA71073E7C4A939D90EB84F6C21AA344C5D26F36AC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650010Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:05.532{D419E45B-752D-60B6-0B00-00000000C401}6324968C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000650009Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:05.329{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=465C4CA8919077A38B7B7DBF0220B3F9,SHA256=97D7C35F0848E398B3D0AAD117030B1850C0CFEA1235DBF719C3C3A8956E37C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595680Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:01.919{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49784-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000650021Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:03.058{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local49952-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000650020Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:03.058{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local49952-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000650019Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:02.955{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49951-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650018Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:02.955{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49951-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650017Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:02.948{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local49950-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000650016Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:02.948{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local49950-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 23542300x8000000000000000650015Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:06.923{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11ADBE18E83D4056CE0174566E5ABBC6,SHA256=F356571AAFAF2E838E21D272AC84CE614095343BB97FBD260575E00082A76490,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595682Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:06.340{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39AEDB05404E5F7BC7C511BB8483538E,SHA256=FDD871F854A7E74854B8963F2F061D6FF3D06F72F2AF3FFEBBE97F1D903A747A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650014Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:06.579{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DEFAB417FC92F59053BD2B0DDB2A532,SHA256=64AA61C9D7BE06FAA549836EA8B40F14CA60F969DBB08EE5F6A0C7CEF5C08EA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595683Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:07.355{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25B2BE88EB5B1A1D210A7E45F9579EDB,SHA256=6E43E1DD40D2FFCD62A2D4DAF4260E403F61D1ECB54CC45CC406FE6931A9CCBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595684Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:08.386{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50F7C17540E8ED29EE65486D5C2D4A82,SHA256=6369C8A79F389F9614FD3C2BCBDAD0901308B732C60A5B9F714BE95DC1B7EBD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650023Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.079{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93E6F87BF4574C77F92A40614BEFF697,SHA256=7D0D902229C61BCE9FCC5C255135FB0DEEDAFD97402E856CF6DD2BF498DC1695,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650022Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.079{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32A23E93F6DC5C0661F8A90DC9E6CBE2,SHA256=E4A923F41303ECBE9B3F82640CFA22F9AB483F93CCDC811BF819AE392D47562E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595685Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:09.386{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FF154313F298064656CD4A2101BBCC4,SHA256=C8A6408C6CFA7EE1CA891A6A3AE1A2150F22695395ABFE0FADCC901016D357A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650031Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:09.532{D419E45B-78A4-60B6-BF02-00000000C401}39765096C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650030Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:09.532{D419E45B-78A4-60B6-BF02-00000000C401}39765096C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650029Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:09.517{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650028Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:09.517{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650027Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:09.517{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650026Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:09.517{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000650025Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:09.220{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89C0385A564E71EDF565547BD425CBA2,SHA256=822BBB29129C5C479FB11A5E8D918FF8497DCB3EA1DDDBDDE3F6227300F7A5DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650024Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:09.142{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F638C83D41C7C5DCA36D48B4BA82F3C2,SHA256=C2F2BB739CB6F38A2E77198FC5D32B03C9A877B0305D98D12C3D45BA37FF819C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595689Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:10.402{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=025807E0CE9DDF0EF823D4EB508BF458,SHA256=5EA491134CF6830C7C2ECB79F4AF167E70A799F9263DECAA0C71BCAD28F693C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650055Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.501{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650054Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.501{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650053Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.501{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650052Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.501{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650051Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.501{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650050Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.501{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000650049Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.501{D419E45B-DF02-60B8-844E-00000000C401}2400C:\Temp\notsharph.exeC:\Windows\SysWOW64\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=B7E2FC98A721415DE1B2A77D9A7B95ED,SHA256=CA6EE939BAD0EF32A1A62D1EA6D7D29006889FF6C4626650F9CD38FD6C27B87D,IMPHASH=F041BC2D00F8EE54536427C63882D791trueMicrosoft WindowsValid 10341000x8000000000000000650048Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.485{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650047Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.485{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650046Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.485{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650045Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.470{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650044Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.470{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000650043Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.361{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=547C0C6F8F3CDD9BDAD7D2D7F9EE51DB,SHA256=946D34548A08D8F77147BD8D9F5C29F81D530086A33DF2D6066B48092C8ECD87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650042Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.282{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650041Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.282{D419E45B-78A0-60B6-AD02-00000000C401}22846252C:\Windows\system32\csrss.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000650040Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.282{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650039Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.282{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650038Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.282{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650037Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.282{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650036Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.282{D419E45B-A18D-60B6-EF0A-00000000C401}32001160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11de81a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1121804c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1127babe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125d95e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1124e67e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125bbc0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b732(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11240385(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1123f8f7(wow64) 154100x8000000000000000650035Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.267{D419E45B-DF02-60B8-844E-00000000C401}2400C:\Temp\notsharph.exe3.0.0.0SharpHoundSharpHound-SharpHound.exe"C:\temp\notsharph.exe" --CollectionMethod allC:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=63D22AE0568B760B5E3AABB915313E44,SHA256=61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x8000000000000000650034Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localEXE2021-06-03 13:54:10.251{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\notsharph.exe2021-06-03 13:54:10.251 23542300x8000000000000000650033Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:10.142{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2CAAAA20258E368D5AA1893F66D059E,SHA256=17DDFFDE5D731A38C64D0C17861D4E0D4576584B9ED04164C89A8B65A00ECF98,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595688Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:07.950{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49785-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595687Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:10.215{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C784145502D76C2BC34B13DE35FCBDE5,SHA256=4BD29AEA7375A50F4E4E47C894D706D1D01D7FCECE1DA2D874FA6D9F2C4A90D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595686Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:10.215{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7050362018F511243C860FD2BEE4DD5,SHA256=80629BC76FA2BC33D14FA03977A0E0DB7F28FAFBD1A0736CD272A00891D945E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650032Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:05.772{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49953-false10.0.1.12-8000- 354300x8000000000000000650088Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.040{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49955-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650087Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.040{00000000-0000-0000-0000-000000000000}2400<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49955-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650086Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.015{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49954-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650085Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.015{00000000-0000-0000-0000-000000000000}2400<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49954-false10.0.1.14win-dc-233.attackrange.local389ldap 22542200x8000000000000000650084Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.715{00000000-0000-0000-0000-000000000000}2400win-dc-233.attackrange.local0fe80::8a7:5018:d121:bd39;::ffff:10.0.1.14;<unknown process> 23542300x8000000000000000650083Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.517{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6210B7C7BBC3717BF2209B44C7A7612,SHA256=36482EB9ACAC55BB3B8D7A144A02ECB98CB7C59F211615EEAE1C980E81216A1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650082Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.517{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6CF78AE2449BB666CD11A5B5FD50BE3,SHA256=80B6580BC2A8579796D5CA52776B882F3086A2C7D7F935F646D043BAB2CFA013,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650081Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.517{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FA8646C827E430AD84DA17DBD3A996E4,SHA256=E949D4F5DBFC03D0A1A30280583A9B711483A528BF3690CE47D04D6C9B25AC90,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650080Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:11.157{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exeC:\Temp\ZDQxOWU0NWItZWU4My00NDAxLTg1YzktNzNmMzNmMTc0MTRi.bin2021-06-01 18:15:53.751 23542300x8000000000000000650079Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.157{D419E45B-DF02-60B8-844E-00000000C401}2400ATTACKRANGE\AdministratorC:\temp\notsharph.exeC:\Temp\ZDQxOWU0NWItZWU4My00NDAxLTg1YzktNzNmMzNmMTc0MTRi.binMD5=26BDB80E12ED00E1E636BC404FCF8889,SHA256=BBE9BBECF696B85D7601BA69DBE6CC3BE56CBB4166E4583BB4F1BCA1A04F8FB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595691Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:11.824{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C784145502D76C2BC34B13DE35FCBDE5,SHA256=4BD29AEA7375A50F4E4E47C894D706D1D01D7FCECE1DA2D874FA6D9F2C4A90D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595690Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:11.402{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=145BAC3573CD818A5FD44EEADCB71017,SHA256=F696EC5358921465C1C92ADD72D38BD17BBA8C4B26543E585C4A5AFCADA95FAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650078Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.142{D419E45B-DF02-60B8-844E-00000000C401}2400ATTACKRANGE\AdministratorC:\temp\notsharph.exeC:\Temp\20210603135410_computers.jsonMD5=BC6D79EF4F469420EE4F76EEE7183FDA,SHA256=539A89CCB4A769A572593D28F7E62EF24C3A82AE53EC4440034D41D9DFE17690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650077Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.142{D419E45B-DF02-60B8-844E-00000000C401}2400ATTACKRANGE\AdministratorC:\temp\notsharph.exeC:\Temp\20210603135410_domains.jsonMD5=7A427216FBAAD1AB6641EA318B845AA1,SHA256=760C0B1D64FCC7B229DBDF88760CE9C5946D3AECA6A755A0C06F9E3ED22985CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650076Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.142{D419E45B-DF02-60B8-844E-00000000C401}2400ATTACKRANGE\AdministratorC:\temp\notsharph.exeC:\Temp\20210603135410_ous.jsonMD5=1B470A6B21DC8CF7E99B5A250F76A852,SHA256=DF466F78B20C0737EB9A9F42CD09D7857F9BCCAC9B02ACE555E31A4D2B3436DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650075Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.142{D419E45B-DF02-60B8-844E-00000000C401}2400ATTACKRANGE\AdministratorC:\temp\notsharph.exeC:\Temp\20210603135410_users.jsonMD5=3E9BF373CFDF495E48CB3AF1A6845963,SHA256=60E6A1128967EE05C94EA16086FBF591FF2E4EB08005D5ACBBE1B4AE051B4B2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650074Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.142{D419E45B-DF02-60B8-844E-00000000C401}2400ATTACKRANGE\AdministratorC:\temp\notsharph.exeC:\Temp\20210603135410_gpos.jsonMD5=DCB570C80F70EAC0F6A8803BF8F48F7F,SHA256=C57F8C8470A8B1832A69F537DC41F66B22B6EB03D2CFF0E8AD53EEE1E4BA0F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650073Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.126{D419E45B-DF02-60B8-844E-00000000C401}2400ATTACKRANGE\AdministratorC:\temp\notsharph.exeC:\Temp\20210603135410_groups.jsonMD5=03438CCBE4C4BB90D4E8E43FE45BE025,SHA256=971074EC0F76784F2622CE935A865136AAB34C36A7DC4646F22F9CC2A873CCFB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650072Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:11.110{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exeC:\Temp\20210603135410_BloodHound.zip2021-06-03 13:54:11.110 11241100x8000000000000000650071Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:11.079{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exeC:\Temp\20210603135410_computers.json2021-06-03 13:54:11.079 11241100x8000000000000000650070Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:11.079{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exeC:\Temp\20210603135410_domains.json2021-06-03 13:54:11.079 11241100x8000000000000000650069Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:11.079{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exeC:\Temp\20210603135410_ous.json2021-06-03 13:54:11.079 11241100x8000000000000000650068Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:11.079{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exeC:\Temp\20210603135410_users.json2021-06-03 13:54:11.079 11241100x8000000000000000650067Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:11.064{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exeC:\Temp\20210603135410_gpos.json2021-06-03 13:54:11.064 10341000x8000000000000000650066Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.064{D419E45B-752D-60B6-0B00-00000000C401}6322800C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000650065Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.064{D419E45B-752D-60B6-0B00-00000000C401}632756C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000650064Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.064{D419E45B-752D-60B6-0B00-00000000C401}6322800C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000650063Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.048{D419E45B-752D-60B6-0B00-00000000C401}632756C:\Windows\system32\lsass.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650062Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.048{D419E45B-752D-60B6-0B00-00000000C401}632756C:\Windows\system32\lsass.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650061Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.048{D419E45B-752D-60B6-0B00-00000000C401}632756C:\Windows\system32\lsass.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650060Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.048{D419E45B-752D-60B6-0B00-00000000C401}632756C:\Windows\system32\lsass.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650059Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.032{D419E45B-752D-60B6-0B00-00000000C401}632756C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000650058Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.032{D419E45B-752D-60B6-0B00-00000000C401}632756C:\Windows\system32\lsass.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650057Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.032{D419E45B-752D-60B6-0B00-00000000C401}632756C:\Windows\system32\lsass.exe{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000650056Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:11.017{D419E45B-DF02-60B8-844E-00000000C401}2400C:\temp\notsharph.exeC:\Temp\20210603135410_groups.json2021-06-03 13:54:11.017 23542300x8000000000000000595697Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:12.480{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=052D90A57C375753729C9D43A6DF1AA8,SHA256=7A13453EFD086149CF4BA1886242AAA3AA03B5E01080C6F3FF4307B887D14F12,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650110Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.514{00000000-0000-0000-0000-000000000000}2400<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49957-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650109Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.514{00000000-0000-0000-0000-000000000000}2400<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49958-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650108Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.512{00000000-0000-0000-0000-000000000000}2400<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49956-false10.0.1.14win-dc-233.attackrange.local389ldap 23542300x8000000000000000650107Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:12.657{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FD376A6A7A7FCFE017EE6B6822FF359,SHA256=BA3791C112C3C9949FE51E87C6B076DADBF40C93A26D60D01E1E77DF411CED86,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000650106Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:09.241{00000000-0000-0000-0000-000000000000}2400WIN-HOST-236.ATTACKRANGE.LOCAL0::ffff:10.0.1.15;<unknown process> 23542300x8000000000000000650105Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:12.173{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D8B4D4F17D976F1CBCD8E8D05E4B1E7,SHA256=18E3007BA8DCCBEB5A92298EA8E8D307BFDB45B33E2F63752224DE75709AAE8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650104Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.517{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49965-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650103Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.517{00000000-0000-0000-0000-000000000000}2400<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49965-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650102Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.516{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49963-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650101Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.516{00000000-0000-0000-0000-000000000000}2400<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49963-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650100Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.515{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49962-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650099Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.515{00000000-0000-0000-0000-000000000000}2400<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49962-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650098Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.514{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49961-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650097Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.514{00000000-0000-0000-0000-000000000000}2400<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49961-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650096Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.514{00000000-0000-0000-0000-000000000000}2400<unknown process>-udptruefalse127.0.0.1-52420-false127.0.0.1-52420- 354300x8000000000000000650095Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.514{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49960-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650094Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.514{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49959-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650093Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.514{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49957-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650092Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.514{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49958-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650091Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.514{00000000-0000-0000-0000-000000000000}2400<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49960-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650090Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.514{00000000-0000-0000-0000-000000000000}2400<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49959-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000650089Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.513{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49956-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000595696Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:09.896{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49973-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595695Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:09.894{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49972-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595694Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:09.894{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49971-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595693Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:09.860{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49968-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 354300x8000000000000000595692Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:09.848{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal49967-false10.0.1.15win-host-236.attackrange.local445microsoft-ds 23542300x8000000000000000595698Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:13.480{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E85D1C996B439CDE9A78BB2465C1C392,SHA256=46D504335632AA1450257E7068F921C0BB5456ED4771BB85E83CB1468FAA87A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650123Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:13.907{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=787448969D794837FFDC61504A90182F,SHA256=0EA4F16D31C6905B2A2E1736777FBD48C71A58111C39A8278B3319345BF31A23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650122Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:13.204{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F9D268244164F00033E3838117950D3,SHA256=24FEE2016A66EC67BF624EDC78534B99EE854C9264CB794A017197F66B0B21AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650121Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.593{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49973-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000650120Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.591{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49972-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000650119Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.591{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49971-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000650118Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.579{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49970-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000650117Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.579{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49970-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000650116Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.576{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49969-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000650115Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.576{00000000-0000-0000-0000-000000000000}2400<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49969-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000650114Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.557{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49968-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000650113Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.546{00000000-0000-0000-0000-000000000000}2400<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49967-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000650112Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.545{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local49966-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000650111Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:08.545{00000000-0000-0000-0000-000000000000}2400<unknown process>-tcptruefalse10.0.1.14win-dc-233.attackrange.local49966-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 23542300x8000000000000000595699Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:14.480{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0B88C07183AF15543837AEB078FD40E,SHA256=1D54D061C286113EEC58B0DA4C923D7FA3C13A41CEB10D27915830984FD45307,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650171Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650170Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650169Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650168Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650167Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650166Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650165Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650164Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650163Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650162Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650161Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650160Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650159Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650158Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650157Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650156Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650155Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650154Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650153Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650152Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650151Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650150Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650149Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650148Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650147Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650146Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650145Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650144Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650143Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650142Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650141Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650140Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650139Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650138Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650137Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650136Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650135Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650134Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650133Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650132Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650131Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650130Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650129Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650128Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650127Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650126Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650125Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.782{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000650124Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:14.235{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7D4F684DA42F39BB211101535D8295B,SHA256=0E8210CDED2C57636BC10A93F393CD79AF08BA310F5D88A7E4FC7E0D81B6DF56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595701Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:15.511{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=491B7EE58288FB4492E41FAD4CC53B6C,SHA256=7BB0B68806DCD4C473191C67D6E55A66E74D880DD4A204A0E26FC72E408466BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650191Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.860{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DF07-60B8-864E-00000000C401}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650190Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.860{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650189Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.860{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650188Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.860{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650187Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.860{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650186Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.860{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-DF07-60B8-864E-00000000C401}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000650185Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.860{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DF07-60B8-864E-00000000C401}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000650184Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.861{D419E45B-DF07-60B8-864E-00000000C401}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000650183Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.485{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=591F8840D4E8B377C65F40AFC0B8ECDE,SHA256=A2FD362D8887CCDA9E064E7A41DF360676C2C0F5F09B90A5BAA672CB09212AF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650182Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.470{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=568214C028E4964DAD8BCF175C4CD264,SHA256=2D1EE9D9C7467D28E57E3A782C2F776A0DE67549949D5B6C579F60A2B54FBB80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650181Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.470{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF92AAC12F825C1088A873E996D1EA83,SHA256=B453D27BCDF495FB5B234D3D29B52B8652CFCAEBC8EE7599650FB94C637079E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650180Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.345{D419E45B-DF07-60B8-854E-00000000C401}62042716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000595700Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:15.168{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=851DC86BD49F9E69B698E24BEAFD3479,SHA256=9F2CD3F325AC2B7057D4B6667CFA2D241798362EA6B9C4B80DFFA0ABF63096F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650179Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.189{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DF07-60B8-854E-00000000C401}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650178Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.173{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650177Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.173{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650176Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.173{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650175Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.173{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650174Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.173{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DF07-60B8-854E-00000000C401}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000650173Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.173{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DF07-60B8-854E-00000000C401}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000650172Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:15.174{D419E45B-DF07-60B8-854E-00000000C401}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595703Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:16.521{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51EDA96BDA8B5FA5F25D84AA7B047A5F,SHA256=6F8CB302A05699C6BDD36504580557502108BEA13FBBE7D0AC50497904ABB6A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650203Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:16.636{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38BA1C6A8480D8A7DA10697D6ECAAA37,SHA256=2A7D45DCCCAB67AFFC541B0FFE191C0C73CF153D68BEAE873D0025F01F2798ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650202Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:16.636{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F8EA68BE47C4273CCFEC5A51217D0A1,SHA256=524CAAA3ED58CC0E71C3AC39AFCC31D6E1AD28FBC55060347FDD6C473B52B9AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650201Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:16.542{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DF08-60B8-874E-00000000C401}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650200Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:16.526{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650199Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:16.526{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650198Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:16.526{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650197Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:16.526{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650196Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:16.526{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DF08-60B8-874E-00000000C401}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000650195Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:16.526{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DF08-60B8-874E-00000000C401}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000650194Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:16.527{D419E45B-DF08-60B8-874E-00000000C401}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000595702Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:12.997{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49786-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000650193Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:11.522{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49974-false10.0.1.12-8000- 10341000x8000000000000000650192Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:16.048{D419E45B-DF07-60B8-864E-00000000C401}48966272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000595704Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:17.521{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6878A55C291D3ABBBD3A227A40490128,SHA256=2A3D8D6B43B5C34B32A37F9FB715103AD36CF285261288C973FBE95C854B75D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650222Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.792{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DF09-60B8-894E-00000000C401}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650221Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.792{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650220Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.792{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650219Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.792{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650218Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.792{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650217Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.792{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DF09-60B8-894E-00000000C401}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000650216Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.792{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DF09-60B8-894E-00000000C401}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000650215Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.781{D419E45B-DF09-60B8-894E-00000000C401}1936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000650214Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.776{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA1CF8E58AC26D1C128B88E42B3D0711,SHA256=3696D3FE4BE8EDF11359934BD15285D5438DD1037E684057467E2973AAAC0265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650213Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.776{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ED82BD5F7A444F70FE368760ABBE838,SHA256=2613C3FC1E9CD4AB48E5212E9F8F3FD0E8A45753EB98FAE60E08C1414B64CDCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650212Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.370{D419E45B-DF09-60B8-884E-00000000C401}38804704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650211Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.214{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DF09-60B8-884E-00000000C401}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650210Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.198{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650209Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.198{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650208Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.198{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650207Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.198{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650206Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.198{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-DF09-60B8-884E-00000000C401}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000650205Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.198{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DF09-60B8-884E-00000000C401}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000650204Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:17.199{D419E45B-DF09-60B8-884E-00000000C401}3880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000650241Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.933{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DF0A-60B8-8B4E-00000000C401}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650240Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.933{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650239Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.933{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650238Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.933{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650237Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.933{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650236Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.933{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-DF0A-60B8-8B4E-00000000C401}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000650235Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.933{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DF0A-60B8-8B4E-00000000C401}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000650234Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.925{D419E45B-DF0A-60B8-8B4E-00000000C401}6492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000650233Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.917{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A92F730FAD2319E8275F6893B0200659,SHA256=74FDCC686ECE842FF864ECF14B0B1A1F5747DCDFAF90B542D4E7423592F622B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650232Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.917{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38B688EAD8E797D1D131D005F23180C4,SHA256=6273940131F76715D385BF77288ECBB712B15156FB902F6C546BBA556A28EAD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595705Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:18.537{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20A5F94473029048BEA2FE0B93939435,SHA256=EC431604E60A56283504EF9DED7218DBCA2DF307700210B11D10AA6B909FA51C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650231Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.308{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DF0A-60B8-8A4E-00000000C401}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650230Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.292{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650229Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.292{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650228Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.292{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650227Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.292{D419E45B-752F-60B6-0C00-00000000C401}8486564C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650226Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.292{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DF0A-60B8-8A4E-00000000C401}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000650225Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.292{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DF0A-60B8-8A4E-00000000C401}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000650224Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.293{D419E45B-DF0A-60B8-8A4E-00000000C401}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000650223Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:18.011{D419E45B-DF09-60B8-894E-00000000C401}19364024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000650243Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:19.933{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99DE9681045682E451EC8EB399D92053,SHA256=B317162C1DC3FABB641CCA7D99C4779A93F39ACC50FA03222C6E06103EB7C4AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595706Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:19.537{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7AADAE6B6139659566607774ACEFF01,SHA256=DA6E61FB20C32A987F2AE96274CC9F867B0A628209449DB6A7D2254F28446A82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650242Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:19.558{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0F966BFA2783A14B6B7455D4894551C,SHA256=1250E905987AB1CCA33F9F3BDD169D75F64E57A8489D3F7DDF375E62B9EFAE2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650245Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:20.964{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F89B685B67855BD0518C2DEBB08DFF83,SHA256=DD720378910321CAC5A96D26DA875C20174098299DA8C432AEB85C97F83D0BA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595710Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:18.038{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49787-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595709Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:20.552{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96962C2BD26B119709F6C6C9DEB481A6,SHA256=EF602402FC5833E8E7F48CEE115242DF51FE00BE087C50960D6380B9FDC44801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650244Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:20.809{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4605D87204BC2CF4F514E80F1D63C95D,SHA256=E934EA6645CCE4B24CD723FAC2857DD6598F3BEDD7E776F7C4AA6F9EE17DB5CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595708Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:20.208{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5ECBCE475F86E8D57CC83CB044667F81,SHA256=BB24244ECE0DB8FA7F805C4F861E1CCEF5457083B6B37FA6F589A8F30BFDE3BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595707Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:20.208{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=558E6D89B48A8EB8C723151844A038CB,SHA256=4B9FA5B30A1BB436A8B57CB488B91FAD19A8E5276A3A7EF4294CD722D75EBD75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595711Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:21.552{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6A5A24063D32FFCB3C98B00AE82A18B,SHA256=CB2FE92E2957285A35635DE9F8245D288A4B921E98374685FF4627CE2DD7862E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650246Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:16.532{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49975-false10.0.1.12-8000- 23542300x8000000000000000595713Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:22.630{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5ECBCE475F86E8D57CC83CB044667F81,SHA256=BB24244ECE0DB8FA7F805C4F861E1CCEF5457083B6B37FA6F589A8F30BFDE3BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595712Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:22.568{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0B77AD7DA10DB32B4735E0F19BB39E5,SHA256=FC75CFEFEB1F17444C758F0B723F5D8D3E04217009771361B5E03E6CE13FA4A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650248Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:22.183{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3ADA78A767CFD837BCE22CABC510B71,SHA256=71A87F1F1DAE1FFBD0C89D534FEE95889F873588C6B3644A0911046735F4256A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650247Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:22.183{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C44EDC117D6458226563490ED1C330B2,SHA256=0BB2E1691C9A5FD5E5E32437D246BD2D8A7C276339969F6884F6BCDB0E348C68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595714Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:23.568{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=148D5B5F2607DD0A30C53428C3C96C6F,SHA256=C31CFCA7A17F32AC5172F0B244734ECECD7011EDE317E00A1FFE1B43D605B592,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650250Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:23.308{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B7F0DF023B19211CFB27AA0FDC2DF32,SHA256=B292D9E59B6D1CC8F6FD7834B567B8D18ECA3F2BF591347E1947468CB99FBCB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650249Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:23.183{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A30E1D3C7068C4B509757D74FD3CAB98,SHA256=984CB9FB9ACA5BFC995A7E818E058A2695427B618D060E78F56A92A04D2CB2B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595715Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:24.584{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=543EE6BEA8943754F34F64750F68EF4A,SHA256=B5D9CDF37709589CD4E15FC29006A62F2A63B258D1AA1FF5A8ECC9CA6D240BEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650252Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:24.339{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C24B318F64DD3332612778E76C8869E2,SHA256=F65EE1715A8F16753036E9BFC2B4131B425EB1F2F1B664DC97E3D19941CD47E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650251Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:24.198{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35E031A1E77F3887B053ABA06C1E2BAE,SHA256=2487841539BE38C18CBC85E6568B0C5B2E6CA484C4B0DB679DFF645BA80C2C01,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650256Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:25.761{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXEC:\$Recycle.Bin\S-1-5-21-3762655356-77726385-4168110057-500\$I1HQE7U.ps12021-06-03 13:54:25.761 354300x8000000000000000650255Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:21.594{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49976-false10.0.1.12-8000- 23542300x8000000000000000650254Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:25.542{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=042D5E09C60283D7085504CCB0D3ACCA,SHA256=96D2C5797DAA310AB74B1AD56A500C1FC8C9B0FE1AC823AD526B2311F1637D23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650253Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:25.230{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51B68F2D29EF1BB8D587414145AB8A11,SHA256=916545F08830994BDF222B5025AAC3179C7A0A58635E0D44EE819B803E330D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595716Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:25.599{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027B8061E3E3BE528FBA3C951B3914D1,SHA256=EC3654519B8ABB7FFD4D6F059D15578DAC7F8E1A552F2707914180FA5FA09132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650264Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:26.636{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A99F539C11EF1EDB91751415C166DCC3,SHA256=5763B8DD1411B462EF64632859A8009DA5D73F70B5E49DE453C5F65F8E4D36FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650263Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:26.542{D419E45B-78A4-60B6-BF02-00000000C401}39765096C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650262Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:26.542{D419E45B-78A4-60B6-BF02-00000000C401}39765096C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650261Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:26.526{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650260Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:26.526{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650259Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:26.526{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650258Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:26.526{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000650257Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:26.464{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=907B7336D7513B7527748490FBC95C28,SHA256=8CFD46E0397A3BC0E636837EC24242303E656631FECE4397474A5F7EA4ED2D63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595719Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:26.615{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40568D4E679E64C27EEE46DCEAAD6E8A,SHA256=1EAC69F91890528E4E8EBC547F9C2B6E0E53D1C937D8FBC8846C43462D7D25B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595718Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:23.898{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49788-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595717Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:26.208{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=388C2A4B14B3FBE9E63FB5D82A10D1FC,SHA256=46258AB221806C7B1F8D510BB62076D1B8ACDF799F6AEBA0E29A73FD3B7A00A5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650267Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:27.808{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\AzureHound.ps12021-06-01 20:59:15.697 23542300x8000000000000000650266Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:27.761{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF156640CD09FC419EB995CDD64E917E,SHA256=38AB7F93E80722B60C09AD44DA1EFC950FD19A1E102C9D230C87AD6E522F503B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650265Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:27.542{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81CEF926EB1794ECE6CA8E7DF35ED4A5,SHA256=D4B0816BE4D55C03DE6450E6EE4C28F0D183BA7725937786BA5B68CE0A68403A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595720Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:27.630{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F466DF4426DC9CE8AFE7091F2D0D30BB,SHA256=F931A18251954E901C3E66286D4EE630E39B1A9E54EF996E2464CD97D44CB3E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595722Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:28.787{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF965df90.TMPMD5=50C3F57E9B17DAD0DB73AD4F64FDB6ED,SHA256=86D53DA9ECE564538A00B5F8E963CD8B3B67CB52F8A489C6BC9DE193528D6A7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595721Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:28.646{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC73BF48D91A7E71400719372D449EF4,SHA256=76325B54DAA2094942E50FD5A7D20A87390C0CF5E13141F5816A58F10C356EFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650268Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:28.558{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7407B396687929A61F6CF83660650D3,SHA256=CEC0B92B5279DEA7D2E37336BE6D4B1627D08F9898F9219AA24DA5071C2985D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650284Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.948{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650283Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.948{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cacheMD5=03EEF13C7CCD45883A576026C0F30911,SHA256=8984D11A351CBEEFCE5E0659518724B912A9FDECD8DA5E441732EF4ED3584BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650282Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.638{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FCEAEE96AC4D772FC83DE290780E18A4,SHA256=0311A6B2E20AE6FE98561D2CED24434D232161FAF072AA8CDF44BF4A7A74CB50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650281Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.573{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D68671045D002ED7B0C08825A4804D3,SHA256=E670A03965A6F07EA6F44743B9E1932FD43E26D5E6982C87D1F425BC4D9AB53B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650280Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.573{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F194B8EAFF0632BDA8EC82209CAEB76,SHA256=906D3598BA7038EF014FFDD4276FB48ABEB9ECEF5C51D7EB174C0C0D2F726D7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595723Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:29.662{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB0764D84ECD5536A5D59D295BD6459F,SHA256=BACA1C191F18BF58591A6F630A4EE61CB1BD6780AD04720EBF6EEA518FF9BA89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650279Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.464{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5F31C0A9A1499EACFBDB084911F397E,SHA256=C6A6C9144B42A3EC265EC922314FDF4DB70CD08BF9D78D67F9DB3BE8796E3CDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650278Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.448{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650277Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.448{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650276Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.433{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1A0984A1C073C3FB0203BAAFCA502638,SHA256=0542187118ECB9925F835BB32713E03DD5B5E5B9B66CB4F9E7EDDF2D0C6BD0E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650275Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.355{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A3F266C1DDFF6868CBE99A0D01BD5DA,SHA256=E6BF3E33D09459FF0E711C982035625A49C223429EF8B42BD2E3DA97CA5A29C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650274Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.339{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=687147D5B2E786AE3FF26450AADA4ED9,SHA256=E3C5BBD986785055ACA245BC3257BED5051B2CFA8D72FA6468F0A0AF59BB10EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650273Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.245{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=865356AA88E4798F44B2DBE227ACDD5D,SHA256=6C9F6E2E45D5E2DECFB8611783E96F79641CC198005C354F3E724303C6D7982E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650272Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.217{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E506B581B4B2AFC3C76B2ED1120FDC3A,SHA256=86DA978276279D2FE25E0C160B9C486DC37343F4CA8F2382D24FDFA10CA7382B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650271Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.167{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=93D870B1D6AB9E83F71B7F34F14BBEBE,SHA256=F81C71EACFA039484B5EF5D026888A68250291A7A022FF6AC26C609CE948FE36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650270Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.026{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=94ABFB5096A8ECC984DFB9EA8D876D68,SHA256=7675C479433DFAC9BCF964435E6C85CCC772EADB48C779748E5FFA7FD06A7B28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650269Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.026{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6EECA5D6C845F293AABE7993417BAB7,SHA256=9579DE4AB73A672B8ED26E38ECB75F0EEBEB1A44FFABE5A3878003D06055D9CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595726Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:30.662{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E213D0CC833FC5676A726477F506757A,SHA256=9A46E3ACDADE9C516CD26C814A25989C6AD2D97EC623576014D2455161FEE26E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650300Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:30.980{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650299Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:30.980{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650298Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:26.982{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local52656- 354300x8000000000000000650297Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:26.766{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49977-false10.0.1.12-8000- 23542300x8000000000000000650296Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:30.761{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650295Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:30.761{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cacheMD5=F8E4F2AC6D01D18F0E8CD5EB992BB3F3,SHA256=7FD24CE982E05847298F8E509B60C5EA1E041838F2346B231CD444E7B8DF71CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650294Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:30.573{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50F8BCCEFB068293ED4605A90E235F09,SHA256=7E557EE8E1947ECCB954F485D8C2B0A8C839402A158F46A3DC5CF2110A811EE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650293Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:30.480{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650292Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:30.464{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650291Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:30.448{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-aztenants.json2021-06-03 13:54:30.448 11241100x8000000000000000650290Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:30.370{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azgroups.json2021-06-03 13:54:30.370 11241100x8000000000000000650289Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:30.276{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azusers.json2021-06-03 13:54:30.276 23542300x8000000000000000650288Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:30.198{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=800A9301283B526B9E470B8E015F2C83,SHA256=F19AEA49E255ECDA1ECD2F7651CD5AF676765B72B6450655F9D97B79B67E32AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650287Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:30.136{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=85E6253448D41AD433F7BB30D105C44E,SHA256=5A1F45D4254858A685C987040D29A25142B5A93B65FC35C29EB9B9DE69EE8EA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650286Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:30.073{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14F5C8BBF4404E35511E4533C525A033,SHA256=DCBE9F5A2FF04CAAC9E3BB5B7DB0ACCEA9BCFB5270672A17657CABE06C943097,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650285Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:30.011{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D9091B93DDEC6133EF5814F95EF744D,SHA256=EF3E33D260816CECF036D1FFBABF3893E3F1A401E4987206260D9BDE26F7624D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595725Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:30.318{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0787DDC60CCB4A0C15FE13F75273E61C,SHA256=8542DC4E69C7D5000DB45DC0397196C03666140E4DFE36E6637FBAF56AB3524B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595724Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:30.318{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=58267FC029525A660CBD7F7DD68DBBA3,SHA256=5754DDA688749EF9BA8124AF320592321CA641196F8F3DF72333123BCA56B724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595729Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:31.662{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C509CDDE94A57E448EDCF134D4C27FEC,SHA256=47E0A645DB4829B7AD63C4E0E7A3A5F0B340A635D2D90A73AB5A97D5492A62A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650322Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.745{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE7879719EB7736EED43A423284B15BF,SHA256=056E2AA136BE52DAF7390D55D2DF49197888D1969CCB8230CACF0E6504B7BD13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650321Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.745{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650320Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.730{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650319Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:27.661{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49980-false40.126.26.131-443https 354300x8000000000000000650318Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:27.640{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local57063- 354300x8000000000000000650317Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:27.504{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49979-false20.190.132.43-443https 354300x8000000000000000650316Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:27.481{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local49676- 354300x8000000000000000650315Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:27.039{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49978-false40.126.29.10-443https 23542300x8000000000000000650314Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.651{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BC272B1B061A7C366F0B14E60632350,SHA256=E4CA48FC2A26A6C1A35D9CB48BC5B19E198CA73430E7CA56339FF11C64EB9CDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650313Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.589{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01499548D930C7645DC129172E5C84B7,SHA256=F99431FFB8F1C85A81CA6D5A289F7B59874AADE3FC5AC2A6EC8A1CB2AD3F30C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650312Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.589{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17AEC58E12D38EB49118E5242A66F981,SHA256=52851E2148010F4529BC94014CD153197B1E3E9A29BDA2C755D851FC6B1607B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595728Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:29.085{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49789-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595727Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:31.052{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A91C633471A26A316B6641B85CF0A0FE,SHA256=4BDFC1FA43EAF98BEB144A9D0129F6124EBFDAD67ED6B929822432C5EF9AF1BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650311Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.526{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650310Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.526{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650309Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.526{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8CBF71F76437F417B0C119AB21C73B58,SHA256=19362518A6F9FA9D9E29DE6465F714812F7EAB199BC215C1A68606FD379E78B1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650308Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:31.511{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azsubscriptions.json2021-06-03 13:54:31.511 22542200x8000000000000000650307Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:28.338{D419E45B-A18D-60B6-EF0A-00000000C401}3200graph.windows.net0type: 5 na.privatelink.msidentity.com;type: 5 prdf.aadg.msidentity.com;type: 5 www.tm.f.prd.aadg.akadns.net;::ffff:40.126.26.131;::ffff:40.126.26.18;::ffff:40.126.26.130;::ffff:20.190.154.141;::ffff:20.190.154.140;::ffff:40.126.26.19;::ffff:40.126.26.17;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000650306Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.448{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=323D3FDB74048A7AA25741858F169CB0,SHA256=23AA71F188D39356997BE8E47BE61AF368E3C4716AF61A7B67454145714F9960,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650305Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.386{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B003B48E59B59E2B18AF4601C0FE6964,SHA256=972090CBA2FEA99D9CE773288A2CEE10A66FB36DB1EC3FBCDF7329CB1E9781EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650304Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.308{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53FC7E0BA34813BC3AA04071883A8FCB,SHA256=FADB84610B5026B9DBA23E6DD1660BCF0735125642429410EF45FDDBA9162006,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650303Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.245{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04CD804FE7D62C489F34F93ABFFDB2F9,SHA256=427F48197C58363A1CA41A6E43DBF00821400FA149B27B7639CA27C812C2536A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650302Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.183{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8492DAC41D23D1E096EE1F040C3FFD3F,SHA256=263465650DE7079C8B1F7D750458D89EC4A9454BCC3C11C234B9BA9A6D93AD9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650301Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.183{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4E350E197BBF3E69BFE3DEC836DB0B02,SHA256=F3D3F8DF60DE8BCB5F445CED2C0F04B4C438525355F3F441B5829D5ED59AED2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595730Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:32.663{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B74AD885A70B320D5B97E2A8FF9F7B58,SHA256=4DDD9CECAFA5F2BD893CB40AA84B225DBE59CEC10E219BA5BE2D1C81F68461D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650332Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.080{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49984-false13.86.219.80-443https 354300x8000000000000000650331Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:28.718{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49983-false20.189.172.0-443https 354300x8000000000000000650330Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:28.695{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local55467- 354300x8000000000000000650329Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:28.535{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49982-false13.86.219.80-443https 354300x8000000000000000650328Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:28.326{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49981-false13.86.219.80-443https 23542300x8000000000000000650327Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:32.620{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E8697979B37DCBE7EAB0514735FD6D3,SHA256=64D86E5FC401871A5BCFD6DDADA500F2B63E137D1D8598AAE2FA660A099CC7D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650326Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:32.511{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AB92F9CFBD0C84CE59C8C37F7F1C4D89,SHA256=20FA40DEC7002BB62E88608D9AB66264E2AB3A0303710CEC0FE38A4AF91AA8F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650325Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:32.495{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650324Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:32.495{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650323Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:32.386{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D634C93E8C0570EB1F7024550EC6B01,SHA256=959F13712A960527BBB5F1878A1A59E929E397A9E3AECEAF87417A55A479D623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595731Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:33.664{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77565F35453306B8CA3ABB35BCAB3D6A,SHA256=95B647BD2DA7D16817CF2449BCBF33E884E657F0043F76AE6A313CE7488CF5CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650345Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:33.792{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C0739DBB02C84F42C20DF6573134A16,SHA256=5FA4164094093F315B6E68D6DF657F414062CF78E15DFE40A8D287ADA9B91541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650344Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:33.792{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=448511EF64AAC15C5D85A5A653F5D9B0,SHA256=142EBFF8A133EE6145D3121D748D14F8ACE7266DC0AE0D5FA048AA26AE9F08A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650343Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.261{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-65505-false127.0.0.1-53domain 354300x8000000000000000650342Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.250{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-65507- 354300x8000000000000000650341Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.250{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-65505- 354300x8000000000000000650340Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.250{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:9860:c3a0:a8a:ffff-65505-true7f00:1:0:0:0:0:0:0-53domain 354300x8000000000000000650339Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.220{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local65507- 22542200x8000000000000000650338Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.393{D419E45B-A18D-60B6-EF0A-00000000C401}3200dc.services.visualstudio.com0type: 5 dc.applicationinsights.microsoft.com;type: 5 dc.applicationinsights.azure.com;type: 5 global.in.ai.monitor.azure.com;type: 5 global.in.ai.privatelink.monitor.azure.com;type: 5 dc.trafficmanager.net;type: 5 wus03-breeziest-in.cloudapp.net;::ffff:20.189.172.0;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000650337Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:33.339{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650336Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:33.339{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650335Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:33.124{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650334Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:33.124{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650333Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:33.105{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azresourcegroups.json2021-06-03 13:54:33.105 23542300x8000000000000000650350Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:34.823{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD3B1C1D23C754CF9D343CDDE4369E1,SHA256=74383E0516395C9A6412E7D0A9EBEEC6819318AC1A1C1485A8073E5B9F8412BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595732Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:34.667{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB02BDD62E512986187CC51F8708F4FF,SHA256=8C530B45730E3E2B5395252476C787D7DB46E12FF7165459A0B1BA678F7DC103,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650349Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:34.636{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08543D592EC9BBE67920677EA525AB24,SHA256=1BA2865E80BD5D050F1A9050D722B71A6C48ED464E69C234BDB9A081C32E9B5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650348Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:34.245{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650347Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:34.230{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650346Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:34.167{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=33D02DA469E8B5C3A7B0BF0D8FA502D6,SHA256=1B8537978F76D4B14B09F6147F58D8DC1064580B739CDB2153591AD9DB19F26B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650371Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:35.965{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650370Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:35.950{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650369Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:35.950{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650368Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:35.950{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650367Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:35.825{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AECA5D6A4FEA7595F224C8BA545CB91,SHA256=B82805D88C85B443FA1F2893202CCEC9E568E25D4822B380CAB69B500A0F443A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650366Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:35.825{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56D0C550ABA25E41FAA39588E134BD16,SHA256=B045925390414361E17FD974DFF3377B98A81D8911265D97354CE657523337AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595733Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:35.682{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E9305909860C560C761E2E2DC6BD135,SHA256=186A142F3BFC621922415A276710D2AF0E680EDCAA2DF1F02BBE058802B25F1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650365Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:35.245{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3B7132670AB68EDE08020B9722DA8F17,SHA256=98D31B0CD9C92D7E4D8DA3E8D245D39377D90256630CC0E50A500F657ABD02E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650364Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:35.230{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650363Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:35.214{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650362Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.039{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49991-false20.189.172.0-443https 354300x8000000000000000650361Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:30.888{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49990-false13.86.219.80-443https 354300x8000000000000000650360Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:30.677{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49989-false13.86.219.80-443https 354300x8000000000000000650359Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:30.266{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52178- 354300x8000000000000000650358Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:30.235{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local52178- 354300x8000000000000000650357Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:30.226{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49988-false20.189.172.0-443https 354300x8000000000000000650356Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:30.052{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49987-false13.86.219.80-443https 354300x8000000000000000650355Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.434{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49986-false20.189.172.0-443https 354300x8000000000000000650354Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:29.291{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49985-false13.86.219.80-443https 23542300x8000000000000000650353Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:35.027{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650352Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:35.011{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650351Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:35.011{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azvms.json2021-06-03 13:54:35.011 23542300x8000000000000000650380Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:36.982{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1D9F1DDDA55E4C56255612BA462E3DD5,SHA256=A001B4D835C533F8D37918EA73E964F5316BFCA5F718A7528C7321C4DF83C02D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650379Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:36.966{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=832A6272AEEAABF71BE7ABCFC67A115D,SHA256=937B447662EC6D24ED90582E95445CEE7EA0D3BC388CE982D738D182392224FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650378Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:32.563{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local49995-false10.0.1.12-8000- 354300x8000000000000000650377Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.950{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49993-false20.189.172.0-443https 354300x8000000000000000650376Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:31.790{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49992-false13.86.219.80-443https 11241100x8000000000000000650375Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:36.857{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azgroupowners.json2021-06-03 13:54:36.857 23542300x8000000000000000650374Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:36.841{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=176E1CF6960291F8C1AC2D64D480CA72,SHA256=027A7A20AEE4A5CC7517F2CABB059EC75109C17424FD130949E0271836F130C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595734Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:36.698{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A9E905107862658AC7359477409EED8,SHA256=DBE0E3B63135EE7756BB4511975E6CAEDC188F13FA2884CAC941DF4E6483D364,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650373Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:36.717{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azdevices.json2021-06-03 13:54:36.717 11241100x8000000000000000650372Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:36.578{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azkeyvaults.json2021-06-03 13:54:36.578 354300x8000000000000000650392Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:33.687{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49999-false20.189.172.0-443https 354300x8000000000000000650391Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:33.510{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49998-false13.86.219.80-443https 354300x8000000000000000650390Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:32.926{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49997-false20.189.172.0-443https 354300x8000000000000000650389Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:32.776{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49996-false13.86.219.80-443https 354300x8000000000000000650388Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:32.574{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local49994-false13.86.219.80-443https 23542300x8000000000000000650387Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:37.861{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D04C5EF62CE48A2DA02BE7D65E101BFA,SHA256=28AE0C3E1D6B19D23ECB31259F7C1FF0186AF50B7BD94107DDF06EA5D7F3BC39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595737Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:37.698{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF4AC596D4390767BD3E4F4A32FC371E,SHA256=7F79EE6350036B4A589FFB836D8CAC46DA17500643B99F0752A2EB3F720A0BC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650386Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:37.216{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650385Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:37.216{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650384Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:37.045{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBF20B0537899772131CC7554FF25276,SHA256=45322667986891906AE247C48E3462BB57CF26E07FBC594A246F0A756FBE8465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650383Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:37.013{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650382Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:36.998{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650381Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:36.998{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azgroupmembers.json2021-06-03 13:54:36.998 23542300x8000000000000000595736Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:37.057{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42C9C99027A719ADF85120B3E08E6412,SHA256=2BBA986E95B573B32C87DF0419BD18AB3DAC625BBDEB95D15B60E9171962B543,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595735Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:37.057{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9665C66444318B3072B080DC9471C327,SHA256=F272A9AA46559C87EA5EA57D678E6F5C6DE3F94CDAD03C685325672AB24D904B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650403Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:34.995{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50002-false20.189.172.0-443https 354300x8000000000000000650402Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:34.773{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50001-false13.86.219.80-443https 354300x8000000000000000650401Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:34.561{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50000-false13.86.219.80-443https 23542300x8000000000000000650400Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:38.877{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=154B8471368F9A2ED46517D1C6840BAC,SHA256=D1E0353F531DA5A287397812119E04E8E21FB64E61EAD1764EC0B8ADE579E979,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595739Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:34.871{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49790-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595738Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:38.698{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E55E872FC960997520383E05B82888D,SHA256=EC3A9E68FCBDA93A68B7E732B4727D7AFCA47FB60CD172F50ACB5E1861F79912,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650399Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:38.861{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650398Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:38.846{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650397Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:38.846{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azvmpermissions.json2021-06-03 13:54:38.846 23542300x8000000000000000650396Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:38.174{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C358F70C5D68FD7F370D0203C015DDD4,SHA256=CAD2952A55BDF839F017006EB512F3FA6AC5C7CAE7404C9AEDE9A40EBC4DBE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650395Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:38.033{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6AF186FBBE2E1A07E4525A382F92B845,SHA256=591F471FE56178654EBACA47559A905F9D1148E5CB1F83E5442BD4FFD652C3F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650394Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:38.018{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650393Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:38.018{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595740Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:39.698{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B433DA8136F0F3ED4AE9750E69662DA,SHA256=102DE90D841E4CA5A1D5779082CFA042A8207A453D094C42C5D3398AF2553B6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650409Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:39.893{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D0C54E664BB7FFCFC6F540B1DF3902F,SHA256=8B0D286D06C173FA38095B86344D00779AF2E8C9D94CD69CCB150F7D9EC49566,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650408Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:39.846{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6AEF865118055ED817A4042E015418B1,SHA256=633D1E64E6888AD940902F861613042E0D772DAE4AC776A6E2F0FF18731477CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650407Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:39.408{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB49ABF10D5876119A6F7195A2BBB381,SHA256=53DDDFC092F9B922E031A6E5ED063FBE3E580736D825166E1D886E65FA960B6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650406Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:39.408{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54EE2034BA7BE3A4BD6158EC85043DFA,SHA256=D473AA60AACA47DD59D71C22250A61694E999A7642431D994B00FE2F4E8A08E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650405Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:39.143{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650404Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:39.143{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650419Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:40.939{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49A71CDD4EA91806B1E6680A6394AEB4,SHA256=31B3FF6051C25E935EAADF54C2D500CB25EFE53130077A8E2D7539FBF7607671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595741Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:40.698{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7485CC0DB046A695578E46E33BC8A070,SHA256=0EA19965F1C77DD9C308C8BC471772DD746DB59178E201C1F4AC64A648E0DECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650418Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:40.877{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650417Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:40.877{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650416Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:40.861{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azrgpermissions.json2021-06-03 13:54:40.861 23542300x8000000000000000650415Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:40.674{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3740714A924E3F8B2C945598EFC2F324,SHA256=6F70E171A1AC3F4ACFD8DE08B805A63E1E40C33ADB7E6D766E3881AC19048B47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650414Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:40.033{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650413Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:40.018{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650412Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:36.407{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50005-false13.86.219.80-443https 354300x8000000000000000650411Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:35.718{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50004-false20.189.172.0-443https 354300x8000000000000000650410Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:35.565{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50003-false13.86.219.80-443https 23542300x8000000000000000595742Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:41.698{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0961A1DFEBD1D63F537C3FE2063DAA5E,SHA256=662526E8D9B6D43EB700F56EF084F72717E5D00F69EE6B2963A986C5DDD60D32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650426Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:41.580{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650425Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:41.580{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650424Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:41.564{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650423Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:41.564{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650422Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:41.096{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650421Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:41.096{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650420Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:41.033{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6B79B1711F88B0298AA41B6798D20982,SHA256=6D5597DD88D5526B1D28623C8AE339CFE45E369C1BDD2B6C66B894E28853B2DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595745Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:42.713{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=966E65F907F04BE24AC79C891286C418,SHA256=E0B0C895B7F3C3BE6469AB858DFE7B610318EE1BB20548D6E65C511D04F05E7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650444Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:42.830{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650443Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:42.814{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650442Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:42.814{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C4ED5F7A525E7A7767B58C0640DC4E8,SHA256=78907C257B5B8663629B91BCB09A5F516E55D6966DC00D9983DA1FE0780AEBE9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650441Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:42.799{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azapplicationowners.json2021-06-03 13:54:42.799 23542300x8000000000000000650440Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:42.799{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A71B6D7C93F9394892D7BDCA2C8C4B4C,SHA256=739C2A1A2F129F3F3C056D0F2234A5009906A22346D291801CE0B503B81B32A4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650439Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:42.705{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azprivroleadminrights.json2021-06-03 13:54:42.705 11241100x8000000000000000650438Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:42.689{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azglobaladminrights.json2021-06-03 13:54:42.689 11241100x8000000000000000650437Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:42.674{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azgroupsrights.json2021-06-03 13:54:42.674 11241100x8000000000000000650436Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:42.658{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azpwresetrights.json2021-06-03 13:54:42.658 11241100x8000000000000000650435Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:42.424{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azkvpermissions.json2021-06-03 13:54:42.424 23542300x8000000000000000650434Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:42.174{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=677551496CBC57DEC94DC4878AD32704,SHA256=81D507B097817346E35B94E906B6E53620CE824D8070ACFA5FCC19876433E913,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650433Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:42.174{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656A820CF4A9EF0F045550BA5C48B789,SHA256=6A7CA1222740BDF6C9FABF2FEBF3152DFFE9AB17840CE6C4F5E7569AA6D2F729,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650432Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:38.437{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50011-false13.86.219.80-443https 354300x8000000000000000650431Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:37.718{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50010-false20.189.172.0-443https 354300x8000000000000000650430Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:37.601{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50009-false10.0.1.12-8000- 354300x8000000000000000650429Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:37.575{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50008-false13.86.219.80-443https 354300x8000000000000000650428Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:36.841{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50007-false20.189.172.0-443https 354300x8000000000000000650427Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:36.691{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50006-false13.86.219.80-443https 23542300x8000000000000000595744Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:42.119{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0572769C4AA1D85BC77BE131A675DA7B,SHA256=893E2533C0A61CA717ADCF688900DF964939CFB73E35965E75FDCBB6F9F9FCF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595743Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:42.119{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42C9C99027A719ADF85120B3E08E6412,SHA256=2BBA986E95B573B32C87DF0419BD18AB3DAC625BBDEB95D15B60E9171962B543,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595747Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:39.949{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49791-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595746Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:43.713{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F375D8BB789C44DA50CDBAAA8BAF352,SHA256=8F952452FF3DB3F041597B2F57743881EEF8D648E924F2A1AE28B7BABDAD4DE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650457Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:43.877{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7377B14F81FF5B588EB578D8DCDD01DF,SHA256=968BE112C9198B69B46BDCE33E107BFF88580DB1C52FF6554953EDC14EE06A2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650456Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:43.799{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39BF55B1A3E0A713BBEEB29D6F29A773,SHA256=DF885C8AD43ED27BEF95D4363BE69109D6ED158211615E81389DFE531BEB156E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650455Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:43.799{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C7F839E3608C9BF9722DC53AF7F4ADA,SHA256=A4A41A2E994EB3492DB66C43DE2258A30E2E56E0C14C4BBD19E552D6B307105E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650454Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:43.799{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F01845E2A7CE0DABCB6A1911A1A62775,SHA256=3813135F237F88D501D67DF169EE4C11E75589B8279822E0A92B5FE1B2A1DB30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650453Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:43.189{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650452Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:43.189{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650451Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:43.143{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E064839EDD23AD7D338B87D2CE3A35BF,SHA256=285159C43C3DCF3292FB12E5B2AA1BF66DBEAA639F765DCDEED0FB3410B461F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650450Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:39.297{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50015-false20.189.172.0-443https 354300x8000000000000000650449Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:39.131{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50014-false13.86.219.80-443https 354300x8000000000000000650448Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:38.810{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50013-false20.189.172.0-443https 354300x8000000000000000650447Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:38.652{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50012-false13.86.219.80-443https 23542300x8000000000000000650446Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:43.018{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650445Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:43.018{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cacheMD5=873E03DCAFDA6E1F8142CDB2F10C046E,SHA256=BEE48B303E091490D9E39634526109433A113E55B9B9292516A503623D4C3A54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595748Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:44.713{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7476CCDB8F4E38B2FDB5E186FC64F0A,SHA256=DDB3958E09334CE5A853EBD2F166FB4DD20E8440D295FF522F167C7BF0D1FCFA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650462Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:44.689{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azurecollection.zip2021-06-03 13:54:44.689 11241100x8000000000000000650461Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:44.643{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azcloudappadmins.json2021-06-03 13:54:44.643 11241100x8000000000000000650460Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:44.643{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azapplicationadmins.json2021-06-03 13:54:44.643 11241100x8000000000000000650459Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:54:44.627{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azapplicationtosp.json2021-06-03 13:54:44.627 23542300x8000000000000000650458Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:44.283{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C9E39790A50B436C9BD47FF2826F90B,SHA256=F13E70E36884A99035751B67F3DC119041AC469D672A83F3F7CD20B46635E6F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595749Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:45.729{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CDDF46EF3AEBFC5E28806FED600817B,SHA256=CC9726E447A54815C9F90E399387E55D6CD27900025FACBF33A283FF671FB951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650487Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.971{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9710DDD04F9DA8A68B1DC58A47CDA8A2,SHA256=88E66770B26D455C52080A613E12006835BE2A70327C902545254801F3F358B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650486Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.299{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D34E691E060327C88F9216C7C8C30D,SHA256=01657BF1C5CBA094A806910DE4D527C8D95B7F8D1A8E036AF2434A4F6C9D778B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650485Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.283{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azvms.jsonMD5=1BC81925A20C7F096502DCA2C9C47C9C,SHA256=6322AEC107856D523DC0EDA6564DD3643E3F8F4F11C5398BCF5BD2905A6E0C29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650484Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.283{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azvmpermissions.jsonMD5=7A47EC350D1D2133DAD1DF478C97CBD4,SHA256=4FBBBD5F5C6D609250940B7F785EBBE1CCD853887C752B6075B2651031067D0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650483Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.268{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azusers.jsonMD5=E144CFAD0FE3AA7EACBF3CA8FDC88182,SHA256=7C5C4DB0398C3A18AED6DA46B358D137B847E783ED1F9F8B839C0B5654C1CED9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650482Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.268{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-aztenants.jsonMD5=D1D52BE3FA4CE6E2D2382CBBE77486E9,SHA256=6E5AA4D5B464D55A65D95FF36675321A8316B2D6ADA9DBFDCDC504E5744A7BE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650481Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.268{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azsubscriptions.jsonMD5=5B499DC9AB3282214FEF6BCF0843A8C7,SHA256=8B33B8615ED1EA02DD47577B19D8EE2398FAFACF56E33066B778A0B86A151D7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650480Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.268{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azrgpermissions.jsonMD5=6EA565ABCEBA55D19CF97E4C96E60B5D,SHA256=7052BDB6DE23B7452F9EB22362F8259C8484735656BA04183E4BD0B8E77BC248,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650479Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.268{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azresourcegroups.jsonMD5=F6EC60B82A1DB86C4B8766CC6EB167D5,SHA256=6BDE29AA2214694A25CF1985C780E3274CC15E5BF2F9D3ABAB66D5D97E3F09D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650478Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.268{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azpwresetrights.jsonMD5=D4FA697B3330E334F135E70BD56B1727,SHA256=7BC07A457B9DDD01D44E882740CA583F370D31CE7490F40948552D3A47AB6827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650477Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.268{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azprivroleadminrights.jsonMD5=F78CA8D8BDF80D01E74ED7287665F1DA,SHA256=D693916C72B4F996FAB35A085C3378CDF188F376D40C4D894CBA74068DC23CCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650476Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.268{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azkvpermissions.jsonMD5=9C478B11F7528FB3BAA8F4993BAF70B7,SHA256=A92449DED51E6EB4FF14ED36D24EB8A00052F2B69487F851BD05134F5D5118E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650475Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.268{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azkeyvaults.jsonMD5=4100B70CD1C1DCAE2715B81CE21345F2,SHA256=93D6F2CB90BDDA1EE8CF7372FBBC13D2BBD4E83F7B7B946C8D00216362234AC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650474Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.268{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azgroupsrights.jsonMD5=C3B4A2BB61E6CFC06AB06FC89F3C9805,SHA256=350766AC6EB1012915C4D553E4B051B9108281880704FEE57B9C565624E7D782,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650473Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.268{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azgroups.jsonMD5=2084BBD7754D35067B150A0B3D8863D9,SHA256=EA31AE8F35B76AD4AAF4B6194992E174636CE5AA07F61F17B9EB44DC734EED35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650472Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.268{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azgroupowners.jsonMD5=601630A1338D5A321681E8EB6D669E70,SHA256=6BFE453149EC66EBF11BCB4FFC035A3BF20478F3D42FF3CFBB25DF844176D5B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650471Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.268{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azgroupmembers.jsonMD5=CCE2966BE725FBFFC01F218D2B4698F2,SHA256=8D5590A1636B35F1032D6DD8B40CD40CD8DDFF820EE9EA4971CDC03ED188CA65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650470Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.252{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azglobaladminrights.jsonMD5=B8309D3AA5D04E8B9F46A80A3D9082DD,SHA256=4D131E8A1123E337F8FAD05B116CAD47D010C264BA5534C207DA2C2ED83DA011,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650469Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.252{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azdevices.jsonMD5=6E0B808FAA0CCC7E25CEFF3FE2544ED8,SHA256=E86924891B7B1B68EC5C24CAF380E86D474FBDCC381B0A5703A61BFC62065B16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650468Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.252{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azcloudappadmins.jsonMD5=78B89398A676E37D525E6732E8A4D662,SHA256=B7260D16327367A0ACC67E423EE3DB2E43303A874966F58E04A62124DCDDE9F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650467Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.252{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azapplicationtosp.jsonMD5=152DFF62532242B467136D9FA375580D,SHA256=AE43BB0860EF7B14646EB45E24A7371470DC087F19009A046A6F57CBD7C1AA1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650466Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.252{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azapplicationowners.jsonMD5=6AA018EB96650197815AE716B0942412,SHA256=55664B3231D64DB9A54A0844C028828C9E5F8827126D10DC5D5B8C09A0CB04CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650465Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.252{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015429-azapplicationadmins.jsonMD5=FBD267B18D994FFD0670FE0D66079195,SHA256=3276C01CC052BB3666FD4B67A63E9B6042FB15409885D40A766BA37888D49E35,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650464Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:40.567{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50016-false40.126.26.131-443https 23542300x8000000000000000650463Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:45.127{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EE4E9DF855F0186818068FBB8AD2292,SHA256=6236F5337F3E111DABB51C9FE7CF00C8CB1D33DFFB0724C30F7453753957415F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595750Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:46.729{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98EA207B5DC8F21B557437DC4AB6460,SHA256=A16F0CE321E71099DB5D1C381178274281F39AA3F61D3A12D1CE2DE71B177B2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650494Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:46.314{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADB0008B6F460BE910B8F51A8AE3B035,SHA256=33671BC55B65437C44EF487C36452F811965FD1CC53F465C9DE13D2B4B34709B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650493Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:41.624{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50029-false20.189.172.0-443https 354300x8000000000000000650492Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:41.095{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50028-false20.189.172.0-443https 354300x8000000000000000650491Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:40.737{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50017-false40.126.26.131-443https 23542300x8000000000000000650490Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:46.221{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3B5B29AB18654B4A434E2E4BA3CDB3A,SHA256=0B48C529F2C24A029CC9D916DABED01BD747A918BFAD5916F2FA88B42BD43E5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650489Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:46.080{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72736C45CD606714CFE35B958DFF38B8,SHA256=A35A9E22CB151D9A52F48B272FC5D795FF45D99354AE5D6CDA63B16A0B731557,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650488Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:46.018{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A22C89EEF339F3A756881C6B1CB3A8F6,SHA256=52058B770F6A6645CA143B7669A3F6303746BD4FB4347EE3F67D81562C44E811,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595754Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:45.012{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49792-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595753Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:47.729{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E5A74C4AADF0C7CE52F8EE241BBFD5B,SHA256=F9C28E4EB1F624788ED68D7D780A3977B182BAB4B5853160405D931B31FE683D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650496Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:47.502{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E472E9D8842181B0AEFEEFDB7EF1ECA,SHA256=13E9BEA11970B1932A4EFFAFE69C2088E7EE980EC1E557D40627C988EFE2A1A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650495Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:47.502{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBBAAEF308424449F653E7CE33365313,SHA256=002DD63BFEFE7EB5A4B3061FA4B213403DEE8E269138F1E2AC8E1CAFCDC4D4E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595752Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:47.182{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F2A5A1C58EFCB43E427D8395A771807,SHA256=3B9276720A9A53EE4A8159A22210E4E2989A4968822255FF35B90B1287271765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595751Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:47.182{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0572769C4AA1D85BC77BE131A675DA7B,SHA256=893E2533C0A61CA717ADCF688900DF964939CFB73E35965E75FDCBB6F9F9FCF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595755Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:48.729{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E03556455C18C4503EE33AA98B3F6770,SHA256=7B6FFAC635E5EAE42F7D77C4D2C2132F7575D071CF0E3A39EE541A6759C717C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650499Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:48.643{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DAB42BCCCBB72B03FB8DA5BAC86D0F7,SHA256=E20CEFA25A7F7051D2476CCF11988448162C7C8B1DFA43CF52C9B0B8B8F5732C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650498Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:48.518{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BECA766A57E151CDFCAB66C0345F75E,SHA256=E101354F19C4B87B227328EC3BCF16C37B5F64CCC9DCF5116AF315F5E6B1C846,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650497Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:43.585{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50030-false10.0.1.12-8000- 23542300x8000000000000000595765Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:49.729{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD816C1C2570696992E2D7B45EFCAB23,SHA256=13CDC39E812D2F1FDE1CEF77B1717CA7E572CB55245A20931EE387012269A470,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595764Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:49.729{97C2ED32-DF29-60B8-5858-00000000C501}47325956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000650501Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:49.783{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F90B3D85417C8027FE8F06BFF22C89A,SHA256=B4EC667BF9C24FD7F6BE91C57B0E24736C89541639853AD60AC58E69E20006A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650500Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:49.549{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F00908F2017AE9042E56B57A5B654D0,SHA256=8CA18CD424BBF79742F554BF672C60453F5992C3C372EFAB62B7614F73D29E3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595763Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:49.573{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DF29-60B8-5858-00000000C501}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595762Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:49.573{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595761Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:49.573{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595760Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:49.573{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595759Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:49.573{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595758Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:49.573{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-DF29-60B8-5858-00000000C501}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595757Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:49.573{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DF29-60B8-5858-00000000C501}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595756Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:49.573{97C2ED32-DF29-60B8-5858-00000000C501}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000650503Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:50.814{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE3CFF35D6AEA26E8F476F7F851EEB8E,SHA256=26C353E198822BE5D2511F6D682794A53BB9F0AA246FFC8EFBD0E519B898272E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650502Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:50.580{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EC9B639A6E6B85E3675CF0909206DA3,SHA256=EE1E52E8CD265A6079BA1825F84C7004D3AA1020CC80067076E5E47BFBF730DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595784Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.916{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DF2A-60B8-5A58-00000000C501}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595783Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.916{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595782Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.916{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595781Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.916{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595780Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.916{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595779Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.916{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-DF2A-60B8-5A58-00000000C501}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595778Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.916{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DF2A-60B8-5A58-00000000C501}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595777Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.917{97C2ED32-DF2A-60B8-5A58-00000000C501}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595776Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.729{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24B3CBBBC32E955AA68DC93C3F64B97C,SHA256=D557FF7B44A138187B5D36D338766E02F4050156643310622EC42B717A4F7283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595775Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.729{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F2A5A1C58EFCB43E427D8395A771807,SHA256=3B9276720A9A53EE4A8159A22210E4E2989A4968822255FF35B90B1287271765,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595774Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.369{97C2ED32-DF2A-60B8-5958-00000000C501}39246064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595773Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.244{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DF2A-60B8-5958-00000000C501}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595772Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.244{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595771Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.244{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595770Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.244{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595769Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.244{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595768Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.244{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-DF2A-60B8-5958-00000000C501}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595767Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.244{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DF2A-60B8-5958-00000000C501}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595766Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.245{97C2ED32-DF2A-60B8-5958-00000000C501}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595794Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:51.948{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=994B9F31E978BDFF61E4263B63349974,SHA256=1922C91D2AB730A22991111643EED3C4CF807D0B78D7202549A1337E6758B7D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595793Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:51.744{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DDFBDC414024FD43CB88450714C3C86,SHA256=6B6F543F37358058CE906C455B9D8AC1962A2B54A1B5CFB842EAED9C133EDFB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650504Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:51.596{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06FFA3949BAB8989842874CC9A401627,SHA256=FC7736D8AF6C0F510D392DD78C8E3E6260B88728DEF124EE2968024598F8FE4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595792Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:51.588{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DF2B-60B8-5B58-00000000C501}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595791Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:51.588{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595790Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:51.588{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595789Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:51.588{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595788Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:51.588{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595787Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:51.588{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-DF2B-60B8-5B58-00000000C501}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595786Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:51.588{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DF2B-60B8-5B58-00000000C501}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595785Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:51.589{97C2ED32-DF2B-60B8-5B58-00000000C501}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000595813Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.932{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DF2C-60B8-5D58-00000000C501}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595812Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.932{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595811Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.932{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595810Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.932{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595809Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.932{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595808Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.932{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-DF2C-60B8-5D58-00000000C501}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595807Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.932{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DF2C-60B8-5D58-00000000C501}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595806Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.933{97C2ED32-DF2C-60B8-5D58-00000000C501}5508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000595805Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:50.027{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49793-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595804Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.744{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF1D1F3CB1ACD92EACCB6504D9CD49C,SHA256=B48708C446ED59CE0AAC6CE9BC1C40B5BAE205D827BE2D8AB5D63016D69288BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650506Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:52.643{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1619F33B324D2EC10F032D38B492FF2,SHA256=3668AFA31314D439D063544315671BC8616354A6E504BE8786EE96FB80925D3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595803Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.385{97C2ED32-DF2C-60B8-5C58-00000000C501}1416732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595802Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.260{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DF2C-60B8-5C58-00000000C501}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595801Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.260{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595800Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.260{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595799Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.260{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595798Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.260{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595797Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.260{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-DF2C-60B8-5C58-00000000C501}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595796Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.260{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DF2C-60B8-5C58-00000000C501}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595795Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:52.261{97C2ED32-DF2C-60B8-5C58-00000000C501}1416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000650505Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:52.064{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD90C9818E48A8AA519C930A3173BE82,SHA256=DD0ABE200F2295C37994F159635DF774BDE2504944A675E5D7D6736486E087B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595824Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:53.744{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16962AE31AEF38C7A3193FBD42794F71,SHA256=8FBC4EC8C2949157F5AF95B285F55F266EAFFA09B1AD1581B0113B379733ADE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595823Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:53.744{97C2ED32-DF2D-60B8-5E58-00000000C501}49123328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000650509Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:53.721{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73AF22B31017480BDBCB4AC58085C10F,SHA256=EF773CB9E839F348FD4C4EDF741EEA25E9DA7BFF74946304B01E4457170D01ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595822Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:53.604{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DF2D-60B8-5E58-00000000C501}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595821Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:53.604{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595820Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:53.604{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595819Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:53.604{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595818Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:53.604{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595817Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:53.604{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-DF2D-60B8-5E58-00000000C501}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595816Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:53.604{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DF2D-60B8-5E58-00000000C501}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595815Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:53.604{97C2ED32-DF2D-60B8-5E58-00000000C501}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595814Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:53.260{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A45D332A5C8C47FDE2EB208797FF51D6,SHA256=9868834B8953B121F9F5395310C3C5E00AEFE63C10818B88BBEA956659E44070,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650508Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:48.710{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50031-false10.0.1.12-8000- 23542300x8000000000000000650507Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:53.174{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B212D638BCD7E22151DC5E682D299E1B,SHA256=38415771B4AE1B870647F72CD7BDDC3B017A153F78D4A17506590641824C0AD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595826Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:54.744{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBC71544DAF7C769A9C5F50594FB4303,SHA256=C549BC18DDFEF9DED523CA28C92188075AA8C1C779D91967AAAB39EC64FE698C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595825Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:54.744{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B115720835E18193CB0E6211A5A8C73,SHA256=9C34D92070548095C80650BB4E1EBE9553918B154C37B12CE17314E344F06BED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650511Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:54.736{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83B4839F9C2D0D7396727969373DD345,SHA256=DB706653E8BB127E2E213FA8ED3A114D3BD6D25030C0BE5E8E61556F7F6123F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650510Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:54.361{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A39CB482F85836E943BDF9594CA9C10A,SHA256=B540C0EFBAF95B83C78A7301D961439297AA616D92BF986E65FFDEEABEAC18D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650513Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:55.986{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8740E2CA1659E4A552A1885E8B34CA06,SHA256=81BFA62FFDBFE1728007692515E00A3E092CA19E80456CA85BAA3597E99DCD5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595827Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:55.744{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F55AD9201B34E472599FA5DEAE8A3DA8,SHA256=8AB4AF45F55FB3D525EF95BCE5CB97B3BFB4657A2F0BADB0BECD2EC9E9C3008B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650512Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:55.565{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0FE305A71E6956FCF94511D515EFDE8C,SHA256=9F3D166846D1F27E25E3A3F98FC0382720C43928B964B0A717674198CA5C4DFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595828Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:56.745{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B9CA7808E46C4F0F4664E9F5563B07F,SHA256=A29FE058EDC028B049DEE0591F813B2D13BF5174821322A34F1B327A5D49C522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650514Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:56.673{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB8348CC1D34B6DD368A71E69AE9862B,SHA256=53502AE1CE3273EE0A784558E11D7BD9C4D5C6E09F9E6B449BBE035E11508468,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595830Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:57.746{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A5FCFF1E181980B840F113854B26BB4,SHA256=65C0EF6F2921FE33145296CB7DFC322BA0CF39CA9EA66C06D95B42323D5E1E23,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650516Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:53.773{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50032-false10.0.1.12-8000- 23542300x8000000000000000650515Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:57.017{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37930AF63158AE6774DC968BC9856D1D,SHA256=D12D3F58F68DA40D77CCBCA58A9DDECD65C4223EC423FFEA53F73B85073392E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595829Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:57.308{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595833Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:56.044{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49794-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595832Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:58.761{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3989AD683DA20B3B965E7515D9393E0,SHA256=5C9E526E80EA15B040780FD2119C537512FF1AA79240A6E14E9E094B92F6019D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650518Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:58.189{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=672CC544F95CBE5D1E3ECA0C6695294A,SHA256=645758C3CA0F1428614A5690242ACE9991F656D4D4DF81D5C5071578201CD578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595831Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:58.308{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C447FD5686F640FAEC6D184C37374E87,SHA256=A5EFDAC37724C7DFFD3A2CA9522387CDE48C8D08DE5EC2FACF737FD889DBBD4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650517Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:58.173{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3186324D0D7FBEEFF82975ED61CEB833,SHA256=1AB3E45F1492E30ADA98424EC92DDF53A5E5E1B6D495F20DD388180463F0B7D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595835Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:56.122{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49795-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000595834Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:54:59.777{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D19C083043B46D7D8B67AE4FB03CC017,SHA256=41A4E909CF5A5E04BDE1697DA99C54408F6A88B4DBF04C64DBA9B987BC007D27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650520Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:59.345{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B57C3EADCE458BC09F805CDC7B81A0E7,SHA256=80CD76C4F9860B8DA57D9DF985785511000E04952F132DCEBA8ADE5C8CEE2C81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650519Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:59.204{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD6A33E34D189E0F79B374FD92E901E8,SHA256=E99EB06F5A5F6BD8033EF5E010E87F9D33CF9DBC04258D40B38A52458189612A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595836Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:00.777{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13108F07A56898A2E9E099CEE0CE27A7,SHA256=ADAFC4AF2851CC82E4B60C6AAB87A9BCCA53A2A7E5302474C3BF27BCF5D5BCDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650523Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:00.392{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A0A7F216EB7FDCF54F7BFB4E242B4AA,SHA256=7AF8CA42159DC9214E716A632B33D47AA359A82CA9B5F98D25744F159F696869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650522Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:00.267{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650521Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:00.236{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68D122BF6EA0F64DA01433A4E24B3A21,SHA256=84A907AA637C45698BE6236123CD93E2557732B25E8B72A04808C85D101952B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595838Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:01.902{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F4864DAD8D954B4EFA2D0712286E6B48,SHA256=12565C5C68337EEDAF360902C450596F75DA25F17194B75D972F2D41C3186A43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595837Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:01.777{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C541C69091DA91100D606173D998E504,SHA256=72DDA1087A0F88A4F17B3EC867F77FF836D646AA3BA040FB550ED98E8BD99B3B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650526Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:57.787{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50033-false10.0.1.12-8089- 23542300x8000000000000000650525Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:01.626{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CEABA3A23842A3061DA7E835E4FC976B,SHA256=3EE0D8365944A730C9A5A6D2650D5C5D84EF38D8D474B501FD1DF51BA8FFD65A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650524Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:01.251{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=684DBF661B1B1DBD53439FE5BDA53AD5,SHA256=0C8EBAD0B5863E845EBD5B4E4598FE85A46004E44D88ACC9A3D3D5B10DDE95CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595841Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:02.886{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=CF39AC174BA6F49A7D086D8DACA5FF59,SHA256=FFE1C8654959600A43A9C0F80B7E51E5377CC79FF0DDD62173930DF922E92E67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595840Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:02.886{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0787DDC60CCB4A0C15FE13F75273E61C,SHA256=8542DC4E69C7D5000DB45DC0397196C03666140E4DFE36E6637FBAF56AB3524B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595839Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:02.792{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9583D89080F50354C19E5FA14ABCC10F,SHA256=19B88706C08F11FE2CC00F9A07F942D7F2E988B04063CE1408A18F6F829BDB5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650528Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:02.704{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C663B7860F0F7689AC1AF37B1DEFD734,SHA256=BDA4BF51B55E583273A99EDF97B257B82DC096BA463B3D5E789F2DA45B742364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650527Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:02.314{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35D89675F78492DAB898BC90EF84C866,SHA256=B4C2B3B374FA959DB5563409CCED7D47538B68E0F64697402DF329CA9AD74874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595842Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:03.792{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=681A42C5090469FEB300349C5EA42182,SHA256=5796F4D00EB26087BC22ED090D58DD10C1A0528D68D6CE13EAB207A94966BBBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650531Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:03.970{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A262CBC9A5ADE97D62A1C697493BD34B,SHA256=810BD69843DFDDD30F07EC4002AE3B7A6265BFA6264A9E6E542B10424F87CF8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650530Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:54:59.757{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50034-false10.0.1.12-8000- 23542300x8000000000000000650529Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:03.361{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6E5B213EB088C2FB2F4BDEBA8A0BBE9,SHA256=FFC99E1CDFD0CD8BBA46CE8B8E2A54A90A80F61AEF01183172D33CD68340C077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595845Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:04.808{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=957C63A205663779899160F127CA551E,SHA256=C1F3B90040A71D21398129758A6C2566979EBBBF981D6EF97ADF6AFFE67B63F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650532Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:04.361{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB920EC841E408A583239544E48F8A59,SHA256=4BF445A46EDF6C7987BF0E2212111A34638DBB6F4C17FED805205D7F286EEA70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595844Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:04.183{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31568C0B3F5F9E9BDE60E9EF31D293F3,SHA256=6432D1D7B859F0B1CF07AB537758C902F433D547628C078C8F66B8FAFBDF9418,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595843Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:04.183{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE5EA392862B1935FEA66A6979D460BA,SHA256=6372F62DAEC63E00BFB10EE108205994BB86D539EDF93EB513840518C041EDCD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595847Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:01.997{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49796-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595846Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:05.808{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59DB507E698A31A0001172A8DFFF5426,SHA256=D3179324C68570EDBAFB760D698A5548F62C04F72788EEC782D1349074BADEC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650536Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:01.585{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local50035-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000650535Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:01.585{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local50035-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000650534Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:05.439{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49CE323BC2F6B74737E765C0A80169F6,SHA256=7F0EFD4086AAF5C0DACB3DBB93EE55F42709B268FD2FAC7D86DCE008D55CD266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650533Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:05.079{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1E41E1C014F81393BC8C01FB072B358,SHA256=47FDBE32569E50AAA2DAA8408117CDE30FA991C4AA987B0B0B7ED1FC78C754B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595848Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:06.808{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A8E226A7B4D8E5249ABA8EE9EC66DD,SHA256=14293CA56E666C1332AE0BB272DFEE883211B3E93900B889DBBAD87A6AA5B852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650538Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:06.595{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25726C9D3FEF893779C7ECF9EDA2662B,SHA256=5A4CFCD91E11A20BB7086114A365ACF9891F6EF3BBD066C9A3C0E8C0BD6D182F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650537Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:06.454{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AADC6CE702DD04C058C9AB8E444349F,SHA256=6A2EEE040C6B28E0B9A4FCA7DE93D0C107238F42B9F37DBB5744067D60492A41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650540Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:07.782{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9037AE958DE9E77BF08B7505760715EB,SHA256=B12454129ADAB2B93C620AFA64FFDD77FA068811B8143DF47EEDFDEA2293EE20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650539Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:07.548{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DD8BD03AD507BCF07B4A62FFB5373F0,SHA256=EA0A21C4814892D5A0A059409F495E6EBE76C74A6067A6C82274A23AE73FB7B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595849Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:07.839{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E076B559FF5A777908117749322546E9,SHA256=260DD15A9ED31F0D7EE70642DA0F1EFA57F9C73176724F7EF6A1F9EB5C21B993,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650542Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:08.861{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A21887B1F8CE626345300DD2DD2A006F,SHA256=C5A45EE10388FDCD1E946AC05E9D4E03FDBD169AE4550FC910EF124EC02C26CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650541Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:08.642{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F03B67D331D03D3FE8357F1353A422E,SHA256=F202B719618107DD6C5AE146D673BE54B161209458381F1D14B1377D69B340F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595851Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:08.855{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E0A4B4703A8F2765BB63FB968EE68AC,SHA256=68920874DFFEF6B84D8F3E9336B6C90C11195C2BF1D0B47E79AAFCADBF63302C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595850Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:08.105{97C2ED32-772F-60B6-0D00-00000000C501}788716C:\Windows\system32\svchost.exe{97C2ED32-9D3E-60B6-7A08-00000000C501}3364C:\Windows\system32\ServerManager.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000650543Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:09.876{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=747BF2920A952450231D368690B2BB50,SHA256=FAFC88DFB1B7D245E85A419CAF35BE98F7E66B459C5BFD434E899E356A17D339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595852Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:09.855{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F0CA3F0E857B986BEDE6FB152EAB930,SHA256=A733D79E4FB8E22B8842C9C8D7649E79C3C28FA6CF3C768378E91C89C155618A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595855Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:10.855{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=468A4AC30EDD41151CFF0F5FD6D08B28,SHA256=8D820ABD61D13DD7BB95B7696AA0E6FB69226AA26F9AF886102EE0F9EE515DA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650544Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:10.048{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C0D2825D8CC6FFB29BD8644696563D6,SHA256=0B780E7F1942DB92C60E7F9505FFFC0A287D17B6E4E45906B28C18B8E1BD08D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595854Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:10.277{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF37C7DF4AC5F105BD6BCFEF057F1D5E,SHA256=5516837639B67AE33FC92D167262E073F878BB66931D33A34AD73ABD4745B4EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595853Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:10.277{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31568C0B3F5F9E9BDE60E9EF31D293F3,SHA256=6432D1D7B859F0B1CF07AB537758C902F433D547628C078C8F66B8FAFBDF9418,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650547Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:11.142{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=514042CF012ACA2DA359273099D66AF5,SHA256=378E382241B3BF7F1DFC7CCD3753313A413FC4B4E76F27A5419169CA14E1B54B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650546Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:11.111{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=539F71354682CD611CFEE4BF83229DD3,SHA256=1AB03B3607746152186D75D02621A67CC9A740E173A78F4B5CF9C5F3B5E3EF6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595883Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:07.982{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49797-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000595882Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595881Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595880Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595879Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595878Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595877Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595876Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595875Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595874Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595873Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595872Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595871Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595870Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595869Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595868Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595867Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595866Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595865Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595864Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595863Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595862Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595861Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595860Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595859Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595858Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595857Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595856Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:11.105{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000650545Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:05.584{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50036-false10.0.1.12-8000- 23542300x8000000000000000650549Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:12.345{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=550C75956835687A12D226578655DDD0,SHA256=CBD991D6192FB73CB71BCBA90FC6ABED3E466A7BBD0E09779FDD59810DDC0BF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595884Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:12.136{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37364E79336DDDABA506C496E7690EBB,SHA256=2F52CA14949F007BC31401943A698D2247EB41B717D14C5F36562C3CD79C5EBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650548Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:12.282{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8701AF84DA7B7809346D0056390F7881,SHA256=4C272CBFE57121FFBBAA4F524C6194F4D0938DF5D5697E5F52EA541400FDF2B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650551Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:13.423{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF7E04C9CA181218A8BFB6FDC23711B0,SHA256=A05DA739F6CEF09DA99ECF4CA47FA39EE0994C1CB9A06918426C87EA5EA1DEF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650550Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:13.361{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41F8A97899A8CF53EC2E1B5A577A25B4,SHA256=228C3F674FB619A10814D5F130E6D28FFA7CD82F9F1B0BF3B6D9E296EB9DBC40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595885Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:13.167{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0125E48D31CEA2BEA01335FD127E90E1,SHA256=E20A7E7C59F8417EB9CC9960489DBBD86F525BEB282ABC9292AE9B28CD4B2085,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650553Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:14.564{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88A36C8E66DFA9FEA4A60668C6B3F1CE,SHA256=DD36061D8DC957F886572CF1E5AF07A717D85C64A36D223101FACBA22FB51E34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650552Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:14.407{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D65D7E80A513D8E43779DA6052D57590,SHA256=CBC31A6A50E20FC692F7D50007296E22D8A1956E91F92B2B1C5A0E63F09BDAD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595886Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:14.167{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C51976E8E82B3612CE424D60380FA8A9,SHA256=8142D1416FB3ACA44BFA4E63E69CD8C556C5C30BD8E24B6C255ED5CCB2672BE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650572Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:11.569{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50037-false10.0.1.12-8000- 10341000x8000000000000000650571Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.829{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DF43-60B8-8D4E-00000000C401}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650570Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.829{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650569Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.829{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650568Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.829{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650567Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.829{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650566Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.829{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-DF43-60B8-8D4E-00000000C401}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000650565Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.829{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DF43-60B8-8D4E-00000000C401}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000650564Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.831{D419E45B-DF43-60B8-8D4E-00000000C401}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000650563Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.704{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=747FDCC4606A647E28F48EB5581A0319,SHA256=8D3DB25C3589EB7598107824C0F9B412DA6744811923713CB4362EAC70FB3779,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650562Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.439{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADEDCE6B723A3C30A3F11AF02B7BB4E6,SHA256=B525B759A886720B082E718D42BF941DFA81723150E3E9DBC72908E605BD557F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595887Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:15.167{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17FD0B8F2C6232C8EC106671D1FD12A9,SHA256=65CBBF48419C9A2DFCAC5C254E629E9C68DDAE62D5C1CD1BFE9D40A4CD20C57A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650561Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.204{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DF43-60B8-8C4E-00000000C401}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650560Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.204{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650559Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.204{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650558Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.204{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650557Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.204{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650556Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.204{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-DF43-60B8-8C4E-00000000C401}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000650555Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.204{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DF43-60B8-8C4E-00000000C401}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000650554Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:15.190{D419E45B-DF43-60B8-8C4E-00000000C401}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000650592Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.995{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DF44-60B8-8F4E-00000000C401}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650591Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.980{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650590Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.980{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650589Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.980{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650588Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.980{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DF44-60B8-8F4E-00000000C401}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000650587Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.980{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650586Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.980{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DF44-60B8-8F4E-00000000C401}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000650585Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.983{D419E45B-DF44-60B8-8F4E-00000000C401}1368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000650584Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.980{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EC98375E618A724E75D28516261B382,SHA256=88E2995DACBE240D79D353C8DE089D87C41C055FE37DB8F9F61FC23039DA83E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650583Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.542{D419E45B-DF44-60B8-8E4E-00000000C401}8726236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000650582Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.486{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EC9695D25188A5F359F57C3CD861B26,SHA256=1E19BF551AF5702EAB0DA91B97E2B278333FB119C21B7F7E0C61068AE1BDB6B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595890Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:16.183{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5504F7FFA13CAF3E727B4068663F74F,SHA256=5C6BA0B12C8CD519A462383D58E92ECDE9AF20BFAF4E9A6756B7EE3A358D8740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595889Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:16.183{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF37C7DF4AC5F105BD6BCFEF057F1D5E,SHA256=5516837639B67AE33FC92D167262E073F878BB66931D33A34AD73ABD4745B4EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595888Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:16.183{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=203CB78520BA2FB4483B063B2DB86B6B,SHA256=4D00AB35931285ECA965486E3E7A2A9F42923EEEA5D20D2F25DC246467580B03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650581Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.345{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DF44-60B8-8E4E-00000000C401}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650580Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.345{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650579Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.345{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650578Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.345{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650577Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.345{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650576Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.345{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DF44-60B8-8E4E-00000000C401}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000650575Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.345{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DF44-60B8-8E4E-00000000C401}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000650574Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.346{D419E45B-DF44-60B8-8E4E-00000000C401}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000650573Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.064{D419E45B-DF43-60B8-8D4E-00000000C401}4088880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650603Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:17.777{D419E45B-DF45-60B8-904E-00000000C401}3444816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650602Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:17.605{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DF45-60B8-904E-00000000C401}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650601Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:17.605{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650600Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:17.605{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650599Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:17.605{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650598Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:17.605{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650597Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:17.605{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-DF45-60B8-904E-00000000C401}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000650596Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:17.605{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DF45-60B8-904E-00000000C401}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000650595Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:17.606{D419E45B-DF45-60B8-904E-00000000C401}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000650594Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:17.558{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F7C16830E8AF34D58288E6290384667,SHA256=A9B2E49344579CE2C1BAEF0B28925ECE120FBA8EB52CF3634063E2B0D92958F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595892Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:13.997{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49798-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595891Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:17.193{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86B4E8415763A5AF5DACC235A5FADD6D,SHA256=B9CA43423253356ABDE9B59C7B1C51F0A89B53760574A3D708D0316E1A4DD837,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650593Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:17.183{D419E45B-DF44-60B8-8F4E-00000000C401}13686608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650621Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.730{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DF46-60B8-924E-00000000C401}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650620Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.730{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650619Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.730{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650618Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.730{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-DF46-60B8-924E-00000000C401}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000650617Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.730{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650616Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.730{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650615Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.730{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DF46-60B8-924E-00000000C401}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000650614Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.731{D419E45B-DF46-60B8-924E-00000000C401}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000650613Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.589{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4F011EA6E74F516841C3FBC75004FE4,SHA256=6C142371071492788A498C97DF71432BF4423CAFAD819F547A76ACB3FF2D5AD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595893Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:18.193{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=146D3C93B0EC2B3B0F7643965D03662D,SHA256=CA95FCD3D725085F1F7217BBCCAD0277974825542330290B238052A03956F671,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650612Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.245{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-DF46-60B8-914E-00000000C401}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650611Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.230{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650610Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.230{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650609Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.230{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650608Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.230{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650607Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.230{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-DF46-60B8-914E-00000000C401}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000650606Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.230{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-DF46-60B8-914E-00000000C401}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000650605Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.233{D419E45B-DF46-60B8-914E-00000000C401}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000650604Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:18.230{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D5FCB7454629AFD5FBF51ECCB974054,SHA256=53AAB91B64E899CE532EB747A6E77B0497F329657419143D4122633EE94DD2F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650623Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:19.621{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E019013FDF110A598AFC78FBDB6CA9,SHA256=CCC3FC569F9D8DBF971DEB229BF118D6901759E9B36AFCDF202C31C9FC2C8A97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595894Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:19.208{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86ABC45299310CDFCE74148FA0EAFE04,SHA256=62AAD7A22A631E3BC36ADFE3B186488E6AA0C9548A982238FADB6EA7AF652CAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650622Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:19.480{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70C86B168B3C13D3CA047695F9E7380A,SHA256=C04B0C5021964FAE2A2782A4B17F7539A57AAC8FA75118BC18ECFFA69D2294F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650625Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:20.636{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C13B434C7A662A548618C6049050703,SHA256=3A72AE9D434196BDEE5CC4F7B272BA5E3BE9640E35009E0501520618263D43CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595895Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:20.208{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=721739CE28F724088122F3805053C1A1,SHA256=2719C612CEE9B185A847E7146001020D94ACE63779A25064D52D429C3A911EC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650624Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:20.339{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D71131D666D22FC09299BF1F5B028F02,SHA256=8F9D441E3E4868CC0F3570894694D187E7711B26736DAD1CF08C406096A2018B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650628Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:21.870{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1842E2DCF85CBBEE6417105820AF9D3F,SHA256=25EEA1CD9E7D56D4C8B15B503DABBDA061845263FD8BCFA2B0C4B0828CEAF920,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650627Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:21.652{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66782327EC7B99C63D33B0E7F0BC5BF7,SHA256=A2F046266BB089CE822CF50E79A6F3DC73A19A3D43BD9588A39A4B11092B66AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595896Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:21.208{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=610367279117D04356483643F16D135A,SHA256=8CF5D4CDC83D84782C6966423A59710CF565055558A525F4FBE66E91908B4E17,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650626Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:16.782{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50038-false10.0.1.12-8000- 23542300x8000000000000000650629Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:22.667{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=504EBD8861A0E8E733622F33EB8D9833,SHA256=2594C809BE1769F2ED09E22D9EEB977D48F4F9A9A8C1A89DE38B251293CBCA22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595899Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:22.287{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AF86DFD8A2A069708E2B24DCE400B6E,SHA256=4358F3BCAC721DFA8C3368901F24710B899F868BE5F569EC77CA94927970D178,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595898Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:22.287{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5504F7FFA13CAF3E727B4068663F74F,SHA256=5C6BA0B12C8CD519A462383D58E92ECDE9AF20BFAF4E9A6756B7EE3A358D8740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595897Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:22.224{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1F389BF625B0B5235656F4A63EDEA9C,SHA256=4B0DB9D766686A3B4B4EBE9640B41FCFE9049F6202ADC51D56207ED9F84C703D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595901Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:19.882{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49799-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595900Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:23.224{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0A1240BA5491CC46301BD5BA1DD6BF2,SHA256=D0B2D9C6532A53A51799033F273F6869BF7C951FD951538D89269619DCCABFEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650631Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:23.683{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E05F7A142E314B2F473DB7907961465D,SHA256=4467F13F3D51319FDE48500D681A5BEEAC71165D335C72E0A25D33429F7BD001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650630Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:22.995{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F269D15092A0C26D46A1E09C11453A8,SHA256=5F9D3EAABF409BFEECD17814CA70CA9E8571022B1299B0F1DE57D3CD558D339C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650633Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:24.699{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F9A288D80213FBB540C8DC4FAC9C6A3,SHA256=D503EA42D5CC49501577186EA65F82209801462AB712A19C71759FE383F5BB13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595902Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:24.287{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=660FE30FE9AF2BFA9F47EA261AA56836,SHA256=1B8E079510A05C2A3DE5D375FBAA995EF041B5AA0495F1FD1E1BE6FD19237C25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650632Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:24.136{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C23870878F7B45E0B1497939941B5FC8,SHA256=A82D662B35942552056C49D1C50E5731C87C90042AA58BFB21A26F84A0DCB8A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650635Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:25.714{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCFDD310E002586F955AA9A77CEC2F55,SHA256=9FADFD51F71BE97F079B9E701088810B3489C279EF613EF9C07BCBD940F31D19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595903Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:25.302{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD0A7E0CBF5FDAC9AA0E878EF6C8E53B,SHA256=B5CA6106CEC5EA8D797683DCA3BF86DC079F41DBC91FE02C691772024ED2114E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650634Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:25.370{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=290FA90BE13E30C1326B72C168F9FEA0,SHA256=93940F17DBF5ECEC828371A5C09124CC74D962E8AE84D77911EDF268C35E6174,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650637Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:26.886{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB7C0BF07DF32941CA69B2067C2E0239,SHA256=FF204F2B4127EA4A2DD93798CD77E3ED6ED44432768B465B64C50D44B7617371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650636Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:26.730{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DEF16BC100303D5E64743BDA0244745,SHA256=E73BD6073A575849EC4CA3D1CF58489536C97517C7C5CD3D13D4369D4F213DC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595904Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:26.318{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=303542F3C633F9167FC5C0A66A84B9EA,SHA256=E57261ED4BE5DABEA5E02F21036626A6A2872E8EA933FBA8BE1C70F14B6C24B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650639Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:27.745{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C36FDFB52741CF377663665D09C71EF8,SHA256=00E1EC68BA158E219963F14D6298EC3F9AD4FEE32A6B6FC3DB6B49A6A99AA4CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595905Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:27.333{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3797B47BA57C17746222216FA5E1B0E,SHA256=9D4C886ECD4BD8229669A0E7E970C17AF572EE2C0644F45669FC92703A1595C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650638Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:22.547{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50039-false10.0.1.12-8000- 23542300x8000000000000000650641Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:28.761{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4727EA27A82FE4D8902853E9BCBE5D6A,SHA256=9FB50EE85BF32318B5B358896AF2602B019FED1FEF4BC6C2984BEF98E15F1411,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595936Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.849{97C2ED32-772F-60B6-0B00-00000000C501}6283676C:\Windows\system32\lsass.exe{97C2ED32-DF50-60B8-6158-00000000C501}4288C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595935Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.849{97C2ED32-772F-60B6-0B00-00000000C501}6283676C:\Windows\system32\lsass.exe{97C2ED32-DF50-60B8-6158-00000000C501}4288C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595934Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.833{97C2ED32-7730-60B6-1600-00000000C501}12042080C:\Windows\system32\svchost.exe{97C2ED32-DF50-60B8-6158-00000000C501}4288C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595933Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.833{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DF50-60B8-6158-00000000C501}4288C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595932Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.818{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-DF50-60B8-6158-00000000C501}4288C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595931Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.818{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DF50-60B8-6158-00000000C501}4288C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595930Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.802{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595929Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.802{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595928Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.802{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000595927Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.802{97C2ED32-DF50-60B8-5F58-00000000C501}5224C:\Windows\System32\Configure-SMRemoting.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000595926Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.787{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-DF50-60B8-5F58-00000000C501}5224C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595925Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.787{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-DF50-60B8-5F58-00000000C501}5224C:\Windows\system32\Configure-SMRemoting.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000595924Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.787{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\System32\svchost.exeC:\Windows\System32\NetSetupSvc.dll10.0.14393.3503 (rs1_release.200131-0410)Network Setup ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationNETSETUPSVC.DLLMD5=4B455FA2A15BE4C278D0D655A7EA9543,SHA256=1C04ABE14400CC4175704B08D008454820BBF14BFECE1934A82756A6037E681B,IMPHASH=14F8BB5E943EA23F79CC3EC6B8C493FBtrueMicrosoft WindowsValid 10341000x8000000000000000595923Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.771{97C2ED32-7730-60B6-1600-00000000C501}12042540C:\Windows\system32\svchost.exe{97C2ED32-DF50-60B8-5F58-00000000C501}5224C:\Windows\system32\Configure-SMRemoting.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595922Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.771{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-DF50-60B8-5F58-00000000C501}5224C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595921Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.771{97C2ED32-7730-60B6-1600-00000000C501}12042540C:\Windows\system32\svchost.exe{97C2ED32-DF50-60B8-6058-00000000C501}6044C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595920Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.771{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-DF50-60B8-6058-00000000C501}6044C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595919Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.771{97C2ED32-DF50-60B8-6058-00000000C501}60445376C:\Windows\system32\conhost.exe{97C2ED32-DF50-60B8-5F58-00000000C501}5224C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595918Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.755{97C2ED32-9094-60B6-BC06-00000000C501}9441004C:\Windows\system32\csrss.exe{97C2ED32-DF50-60B8-6058-00000000C501}6044C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595917Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.755{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595916Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.755{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595915Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.755{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595914Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.755{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595913Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.755{97C2ED32-9094-60B6-BC06-00000000C501}9443580C:\Windows\system32\csrss.exe{97C2ED32-DF50-60B8-5F58-00000000C501}5224C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595912Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.755{97C2ED32-9D3E-60B6-7A08-00000000C501}33643512C:\Windows\system32\ServerManager.exe{97C2ED32-DF50-60B8-5F58-00000000C501}5224C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1459ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1454f0|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+fa3761|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58dd95|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+559c06|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+558e46|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+70e8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+c11a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+7ce0 154100x8000000000000000595911Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.751{97C2ED32-DF50-60B8-5F58-00000000C501}5224C:\Windows\System32\Configure-SMRemoting.exe10.0.14393.0 (rs1_release.160715-1616)Configure-SMRemotingMicrosoft® Windows® Operating SystemMicrosoft CorporationConfigure-SMRemoting.EXE"Configure-SMRemoting.exe" -GETC:\Windows\system32\WIN-HOST-236\Administrator{97C2ED32-9095-60B6-4298-3A0000000000}0x3a98422HighMD5=59EF03A3CE316E02EC6C916E86715282,SHA256=E26FE2AD8452293B4B1E957B21371693996941A4D3D2371E7E51A35892C59418,IMPHASH=C13E4B07CF35D56AB40B9BAC4947EC02{97C2ED32-9D3E-60B6-7A08-00000000C501}3364C:\Windows\System32\ServerManager.exe"C:\Windows\system32\ServerManager.exe" 23542300x8000000000000000595910Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.708{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=ADA38238E842BD3C756A3FD127EE3703,SHA256=3D48016B6F04755236E9CF8EDC297D2BE909B162A1B45E82250900F49C815358,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595909Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:25.913{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49800-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595908Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.365{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66DC3279F7E29B555480C00C0ACD5F89,SHA256=CE978F055E27CD5199D81A783EEC44B37B663F490B81369FB386F4CA0E24A222,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650640Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:28.011{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8F06C124C9A1A2B2AC11ACE23137B45,SHA256=515F42759B791DDDD23628C7AD1092E62246A0A96EE45B286B6B72292A4744E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595907Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.318{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0468EE0F7493A93697754916BFB30FB9,SHA256=3501F23A150FFD3486E58E39CBFC15022BC33D0182A6E4BC2D8AAE2CAF0674C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595906Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:28.318{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AF86DFD8A2A069708E2B24DCE400B6E,SHA256=4358F3BCAC721DFA8C3368901F24710B899F868BE5F569EC77CA94927970D178,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595952Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:29.958{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595951Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:29.958{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595950Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:29.958{97C2ED32-772F-60B6-0B00-00000000C501}6283676C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595949Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:29.943{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DF50-60B8-6158-00000000C501}4288C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595948Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:29.943{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DF50-60B8-6158-00000000C501}4288C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595947Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:29.943{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DF50-60B8-6158-00000000C501}4288C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595946Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:29.943{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DF50-60B8-6158-00000000C501}4288C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595945Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:29.943{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DF50-60B8-6158-00000000C501}4288C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595944Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:29.943{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DF50-60B8-6158-00000000C501}4288C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595943Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:29.943{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DF50-60B8-6158-00000000C501}4288C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595942Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:29.943{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DF50-60B8-6158-00000000C501}4288C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595941Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:29.943{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-DF50-60B8-6158-00000000C501}4288C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000595940Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:29.755{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0468EE0F7493A93697754916BFB30FB9,SHA256=3501F23A150FFD3486E58E39CBFC15022BC33D0182A6E4BC2D8AAE2CAF0674C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595939Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:29.740{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A400E79D6BE458F62B19523198A2CC99,SHA256=9A922718C00C70B438BFA201BD04E1995558F12AE27563DE2D78B2E8FC6F9A3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595938Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:29.740{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=CF39AC174BA6F49A7D086D8DACA5FF59,SHA256=FFE1C8654959600A43A9C0F80B7E51E5377CC79FF0DDD62173930DF922E92E67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595937Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:29.427{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B23EC6772FFB6FA8FC43CDAFAA010FA9,SHA256=825DFB972B66A42E3F03749F9E1A4E4C1771A38B7E8957795669E279E9796C55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650643Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:29.777{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0C6BCD75C4FCABCE28D085C0184208A,SHA256=360FA6EDC1F6B2D6D7CAD588F044242D74D84724EC504152A58B676E9A1B2EEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650642Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:29.152{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4863FFCAD959BF0CAC74D5D9E2C78BFB,SHA256=AECB772A38041E2D79596EAA765BEF54210F35B81BF09AB30A2AA8712A31E456,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650645Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:30.792{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D684EDCD2F1BD910B4438EAE984F3D99,SHA256=0680F03DD2B8F9CB8324D0B478DA8DA2CFBDD015F343AE294199C9B4A41E0668,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595955Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:27.637{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local49801-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 354300x8000000000000000595954Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:27.635{97C2ED32-DF50-60B8-5F58-00000000C501}5224<unknown process>WIN-HOST-236\Administratortcptruetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local49801-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 23542300x8000000000000000595953Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:30.443{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3972040A0700731290858E7167DC86EE,SHA256=266505A45266088FD51971AC70F2AEF6D4DEE64D08D77B645BB00CE3C0A6FAB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650644Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:30.402{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88C96FF062A40398634F0D394E2A6E87,SHA256=2CD8CBD088249443620D5F69D45E753EA933AD0857E51F38C2A52663ACA9B421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650649Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:31.808{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5680856F1BE99195489ABC64E7DB17,SHA256=A02B207E33F1A9D392CFBAE7E0DB06CE6CBC7C1977590DB0DD155532C8D96CF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595956Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:31.474{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF7210AD4A44994B6CE08B7C263E1154,SHA256=B3927E862A8DB3E1610D60E7034C18BECB08026966D729FADA38350B8C79AC8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650648Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:31.542{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C06402FBC27BA8F93E4AC2F13987FA91,SHA256=6E44AC107882AA787BD22885219260D5686B36A031401699A1F201FF3FB48F4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650647Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:31.542{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2303F94F9FD0F8D1B946B033897DF326,SHA256=2182EE36EEA04CF71C4FB6AFF7C32E5BAFC7ED710E50DC54BC6EA455FFCE8318,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650646Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:27.687{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50040-false10.0.1.12-8000- 23542300x8000000000000000650650Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:32.824{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4B6300BC5F70F1DDE46D6379582D440,SHA256=8EA063963CCCC275548D3568A515640FAE3383A3AC72DF4B99CF0125B85E1BA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595957Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:32.474{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA9EFE2F35BE33AC58D9487BBE412EE2,SHA256=2E0214C0261289D8A0A2ED881DE9D7FEB304FDA97E8FFF9C310D13F0F7AD1017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650652Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:33.839{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5607F9217E7D1CCA28E2F02716F23548,SHA256=DCB5FDCB7468803043AE6C9DF20CA1A7A937599F2B7AF67DADA540C044B0657A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595959Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:33.490{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D63DFA4FF683D74607BB8269ED1F4447,SHA256=426542B965325359E0F5BFAE34507CE1BA6E397D2072CD16616D365D5D43F24F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650651Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:33.042{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12142F562075FBED59201565C51B4148,SHA256=31E448A572F274B157FDE7691ED25807B78CC44B1A7F7F63373B43FF73733CA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595958Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:33.130{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4105574B11FA61CCD85C2F2DB950E38A,SHA256=774973AEF177E177D9C12A5371572A62678CC0F4DF8E2EAC8C3820DC940A9E96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650654Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:34.855{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBCAD16BCECCB550FA88F08E5F7B577D,SHA256=18B3719A594A0E51BE2C70A8CC90E92279D52BD5F8ADF0E39052D2DB3E10569A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595961Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:30.929{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49802-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595960Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:34.506{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C5BE1FD91AE235DEBC10B03C0A9F7AA,SHA256=9F2F52BA861CBA38FAB9FDD5BA6707A1108C292161AE3FA5D1D59191DE74B5B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650653Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:34.183{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC59EEE911DBFD3A1DF0C87765614420,SHA256=747446696F530C88B85727A42DF535D9E76DFC0B5D8D9A369BB50E2A7CF9948B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650656Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:35.870{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C38B4DA13E913FA40502AEA190CD488,SHA256=984989FE14D7312D17E824DBC503E000C4BAA5333CA5430CCCB07C5A86CB3CC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595962Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:35.535{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B7F2D58FB723988184E3DD1261051D5,SHA256=8F2769680A627E4DEE4B36F72749E5089CA6387917E423AE4F6DB3E4CE5EF3E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650655Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:35.324{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C77204C5691CBBBBDB61C2B1FAB1AFB3,SHA256=75BCE2695E5C19B2267B8206D3FEB1681566F28938C6CD9B0E375B7E01A76003,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000650661Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 13:55:36.893{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\D370F6FF-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_D370F6FF-0000-0000-0000-100000000000.XML 13241300x8000000000000000650660Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 13:55:36.877{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\368F3813-04AC-4615-AECE-5D3085605520\Config SourceDWORD (0x00000001) 13241300x8000000000000000650659Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 13:55:36.877{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\368F3813-04AC-4615-AECE-5D3085605520\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_368F3813-04AC-4615-AECE-5D3085605520.XML 23542300x8000000000000000650658Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:36.877{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7677181B9200701B483072EE422C356A,SHA256=07E85B199BEBC2929E4FD7B7A10AA48618DB85C7C641ED5000412E5A6D424AE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595963Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:36.542{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B33D2951AE023761EC9F41CABA4288A,SHA256=351852237CD2C58B1D648A49B36FBBFE57F5E1A334342A30813079FC495162A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650657Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:36.705{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8273DF2360F950621F701538F814EAE8,SHA256=7478066B53F361270B48349739DB09C8AC5C7F628443B95D8A0B3DCA5F9BB776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650663Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:37.890{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A9B513C2840E313E5B967E75D66E29D,SHA256=D117E6771D03E6D3F11BC30911F4CD0A3F6A1732A82B6BE073D1256F929DB0BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595964Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:37.558{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0C259E940BCCEB4572C4EDC5CAE57E4,SHA256=D95E4AEA45CC7F467804C617B5687A8884C2F7701037D4B5825F181D9C2F6412,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650662Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:33.705{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50041-false10.0.1.12-8000- 23542300x8000000000000000650671Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:38.894{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE88A1F49B98E2E85E6A2ADBE2C47FC2,SHA256=20D3EF29A3A4A040F48A9C7885B692275C274E5198C6903CB102746274C08EB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595967Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:38.558{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24E0FC2858143E31F29C1053B611BA9B,SHA256=64C54CF5403DFF08D1CC147E1A3B3D7B0B478C5AD3E99A18CA2E2DE8D2424B52,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650670Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:34.422{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local50044-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000650669Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:34.422{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local50044-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 23542300x8000000000000000650668Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:38.187{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6312FC69FA65742B00EBC0B16D6C886F,SHA256=4B32A1770BA124BFD81247D035B87B4C9F7E074D9350132B61F4F080DABAAD9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650667Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:34.415{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local50043-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000650666Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:34.415{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local50043-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000650665Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:34.399{D419E45B-752F-60B6-0D00-00000000C401}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local50042-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local135epmap 354300x8000000000000000650664Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:34.399{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local50042-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local135epmap 23542300x8000000000000000595966Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:38.183{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ABF28528BE7CC217665FA55DD208D0AB,SHA256=37FEF50A1D8E47035A71085B9831C1819B32882B6A8CDD273A6AC5A59BA0D0BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595965Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:38.183{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1992AC0CB9C79FF1911DA8267C6F1220,SHA256=8EE505A3DE9D75F3451A3596B16E72DE68F41E262545B326AD6C91E04C4CFCF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650673Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:39.910{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E51CD1BB235F5964D9D4967B223DA9F6,SHA256=B1CE19B78E0EA6E38FE7E9154EB35FFEC0267E24B0F4C2BCFB3F8DAA011137F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595969Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:39.589{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F21419E0D1BC494420F909DD88AD2F64,SHA256=0FFA6465E7DB78A02B98AC40BA3BF6422FBF9785293E60F84FCFBE03237FDEFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650672Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:39.331{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11AB077224B2EDB3DFCCF30F6F782CE6,SHA256=22E8AB8DB747A6B551DFD62AADE8A87ABB2F51FB4C91B798CCBE2FCB187D1571,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595968Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:35.997{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49803-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000650675Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:40.910{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465D648C59BB378A0FCE98C2E612C72D,SHA256=49E3519A2955F151AAD8ECAE334A962EC542E1247365A83F5FF116E8C9764BD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595970Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:40.620{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F6968EC1333B796E4223F87CE0F3E22,SHA256=78DA4C0FA370662B56BF5166527DBA2F90E22B4A357FE0B12BD15D1E7E95D337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650674Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:40.581{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C4C615CEFE0A84B331C669F0AAB28AE,SHA256=C69B5B198017F7623C365D8D80B0CA2E42B2431E2F430EFC7B3EAA801772A5CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595971Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:41.636{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=050C562766666244B19EC59F98FF1595,SHA256=62F606ED90DDBE5B587B04571BCA9CF2C8AF3FEECA01AEDF922858A6E95675E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595972Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:42.652{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E986A51F724A97DA853AB9147DC7BD5B,SHA256=3D1BBF240E88909D2521CD52C29BB67802245B73F0ED640EBCA99B48869E1918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650677Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:42.081{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB1DEF4CEC64C15E23F5548133F01BBC,SHA256=931A8296DFC909938F4157FC27D61896CC3BD8AAACDC0656B0B7DBB8CF7D3B6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650676Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:42.081{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAB02296F83CA91F7C7748C3E2844D79,SHA256=8BF78A098AE4E6EFD4E2AAD15045D9F2F83B2F063EC1F7FDE3FB3413909AE3E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595973Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:43.652{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0964EDCD3B9D6B811CDE93D791F1028,SHA256=9BAC55C750E29DCE7D7189E63D8B0AC84738CDBC1320FE91902C867952A182EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650680Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:39.695{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50045-false10.0.1.12-8000- 23542300x8000000000000000650679Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:43.222{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD0A00EB847A8AFCB6D3C84611076BF9,SHA256=70D7E7181AFB010EC66F81390A15DA9EB95C9AEEC738E4D928AE6D962F489EFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650678Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:43.097{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BDF8B54F6153B86600C7E042B72FEE8,SHA256=29F920726B331C3B9925053571C437A1A6F357CDE657D56FD7405FD666677036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595976Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:44.667{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8CC3DBBB4AB816F7BDD50C05815372E,SHA256=480EBF57B4146F1F8E5DFA1E9047BC35583E6BB402FD59AD98DB91B7E1C3EEF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650682Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:44.238{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FBA56768188D052C924D8E70D7E2BCB,SHA256=7267EAD716D223413BC0688E0857A9016102D3B1BB705EB57A6B1D27AAA24AF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650681Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:44.144{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE4CB700F01381E7A16A8669AF41C7AF,SHA256=9F11408F2F6F3C01686A1E62E0E7734626E3242432629F3582F36890F5C78D60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595975Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:44.323{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F764CEB2198E45745145B6D6F6D29A06,SHA256=F27310D67791D6FE1CB0920EB09F20B92498E5B24164BBA77336BFB2BA1B6837,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595974Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:44.323{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ABF28528BE7CC217665FA55DD208D0AB,SHA256=37FEF50A1D8E47035A71085B9831C1819B32882B6A8CDD273A6AC5A59BA0D0BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595978Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:45.667{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16D73ED874AB84E46C39476B9F98CF75,SHA256=28281F3160AC079A8D9EFB75946FDB6CB079A84C7BCFC43E4273ECF58E67ADEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650684Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:45.363{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32AAACA4097A02043F5E3F814D3B774C,SHA256=4437A20C9D4D9CAD04361D1FEED6BABB0030CB86BA08F2729EE2E98808B56A69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650683Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:45.285{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6DA88760942607B0111771C3BA611EF,SHA256=BD34E9ED90F87C5ECA3B809537594E0593E9A5FFFA1D75045B9C3E36BCA9AA7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000595977Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:41.935{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49804-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000595979Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:46.683{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEB25745064D2567E44FB16C13AA41A6,SHA256=3A535C9CCCF794F88DDC913663384A60A0D6C8FE7442CC8377E7C87D0582F6BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650703Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.878{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-DF62-60B8-944E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650702Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.831{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DF62-60B8-944E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650701Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.800{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650700Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.800{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650699Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.800{D419E45B-78A0-60B6-AD02-00000000C401}2284924C:\Windows\system32\csrss.exe{D419E45B-DF62-60B8-944E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000650698Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.800{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650697Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.800{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650696Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.800{D419E45B-DF62-60B8-934E-00000000C401}5805036C:\Windows\system32\cmd.exe{D419E45B-DF62-60B8-944E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000650695Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.811{D419E45B-DF62-60B8-944E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe import-module c:\temp\AzureHound.ps1C:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D419E45B-DF62-60B8-934E-00000000C401}580C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\AzureHound.ps1 10341000x8000000000000000650694Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.800{D419E45B-A18D-60B6-F00A-00000000C401}11323376C:\Windows\system32\conhost.exe{D419E45B-DF62-60B8-934E-00000000C401}580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650693Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.785{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650692Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.785{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650691Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.785{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650690Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.785{D419E45B-752F-60B6-0C00-00000000C401}8484960C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650689Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.785{D419E45B-78A0-60B6-AD02-00000000C401}22841824C:\Windows\system32\csrss.exe{D419E45B-DF62-60B8-934E-00000000C401}580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000650688Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.785{D419E45B-A18D-60B6-EF0A-00000000C401}32001160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-DF62-60B8-934E-00000000C401}580C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11de81a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1121804c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1127babe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125dacd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125d95e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1124e67e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125bbc0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b732(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b49f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1125b0da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d33568(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11240385(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1123f8f7(wow64) 154100x8000000000000000650687Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.783{D419E45B-DF62-60B8-934E-00000000C401}580C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\AzureHound.ps1C:\Temp\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000650686Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.550{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19157B9C5587D4949F366D34EF0C9A26,SHA256=D1827E2D9E033CE0604B528D322E4B19B498BFE56CE1E947BDF91E970074FCDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650685Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.300{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B3ADFBAC1D5FCFF4961D242CCEBA629,SHA256=F5E1AAE66F603148DD209AAB7C9DCFD8C4351B0666EE370D932433DF5B33D7B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650716Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:47.800{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A3AF3E07C21634D4F4E674B6A277A41D,SHA256=A5D9489F274BE44FED2BCEE96458013C30E9BC5B71AD53E221A8F324EF57FDD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650715Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:47.785{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F6280EBBD2EA229382F81C9EE06CA1C,SHA256=181159864EFE68ADA69B23DDF0AF1DF55AA2B642C18ECD183095DA9523D23A99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650714Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:47.785{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EB62270384AD3FD2D2D32B9A810C64B,SHA256=2855C2B91533DA1C8383F2978A75D398775F9423D2A704C3A73AAB5EB2EAB0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650713Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:47.331{D419E45B-DF62-60B8-944E-00000000C401}4812ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650712Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:47.331{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=576FC27C1FCEEDE6C23BE5CFFC4E1F89,SHA256=E12C4AE2488E5AD9DFF0DCAC17FA91682E376FB5D0EBFC889BA716B18D84D935,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595980Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:47.714{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B1F650C387343A09D614EA1AD2D63A,SHA256=402F6906ACB8CA9FBC00F0CE599335E275229F94BA63D9955B4F49A3ADD39E4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000650711Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:47.285{D419E45B-7530-60B6-1600-00000000C401}1268888C:\Windows\System32\svchost.exe{D419E45B-DF62-60B8-944E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650710Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:47.285{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-DF62-60B8-944E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650709Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:47.253{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-DF62-60B8-944E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650708Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:47.253{D419E45B-752D-60B6-0B00-00000000C401}6326984C:\Windows\system32\lsass.exe{D419E45B-DF62-60B8-944E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000650707Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-CreatePipe2021-06-03 13:55:47.222{D419E45B-DF62-60B8-944E-00000000C401}4812\PSHost.132672021468116005.4812.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000650706Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:47.206{D419E45B-DF62-60B8-944E-00000000C401}4812ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_1dzlpnwa.21z.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650705Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:47.206{D419E45B-DF62-60B8-944E-00000000C401}4812ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_p45h5qei.wwx.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650704Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:47.175{D419E45B-DF62-60B8-944E-00000000C401}4812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_p45h5qei.wwx.ps12021-06-03 13:55:47.175 23542300x8000000000000000595981Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:48.714{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A32D39DF83A14F8CF7E9B31759BDF4,SHA256=B0985DB44D2ECB113A8ED418802848CA5A83FEB6F40B5FFEC79246DC284E8C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650721Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:48.972{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E3AEAF022FDB3697E22155D664F2AA1D,SHA256=8C2F206D1AB4727066BB514F4EF7B1935BA9F9F16ACCC5CB1755C9252B717FD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650720Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:48.957{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=674ACC1E77E6D3CE928ED37C0647F4F9,SHA256=B4828CCCB5F12B14F1A2F8D750A3F2EB047BDDFC9C3E8C90019CF4B11C576BDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650719Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:48.941{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650718Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:48.925{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650717Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:48.503{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4E1B8A9FA5656D77F3BE5416525DE45,SHA256=DB2712A217D35B68D0D69CBF98061A2EA7935EE551AAF8C0CD484A209DBE9E4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000595992Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:49.730{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D50998829D6EFC370B55EF9C802AFA73,SHA256=06E778FAA12230C354C0B20AF8EBF42B4CB0E4654240148B408694A3230C9657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650737Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:49.691{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B2B22651C6310BBB99AD52FC37DEC2C,SHA256=19882DF1DC073A79CAE59621D04ACE4FC8FF10AAEABBBB87D261B4D973D9D81A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650736Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:49.645{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650735Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:49.628{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650734Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:49.597{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD3246824595B5A37DA82232C730E6BF,SHA256=FC170182BA635F561B0106C77EE85D5066D7AD1F2ABBBF71D026C318EDEA1951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650733Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:49.535{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D621E78E4F2A4E4649081B67F658A76D,SHA256=BE37A3F5A14C4E0B1A3233B8132D329BB32C3597D0795FEFB096F4CF7BFCB48F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650732Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:49.504{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C0593BCEA4006BAFB783DC7278559AB,SHA256=F898C7FD5A8A3283F4DB8633F84CD6883E7AD5A19C7BCBC2ABD0C5C03137A2FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000595991Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:49.542{97C2ED32-DF65-60B8-6258-00000000C501}28204812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595990Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:49.417{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DF65-60B8-6258-00000000C501}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595989Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:49.417{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595988Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:49.417{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595987Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:49.417{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595986Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:49.417{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595985Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:49.417{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-DF65-60B8-6258-00000000C501}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595984Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:49.417{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DF65-60B8-6258-00000000C501}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595983Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:49.418{97C2ED32-DF65-60B8-6258-00000000C501}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000595982Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:49.261{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F764CEB2198E45745145B6D6F6D29A06,SHA256=F27310D67791D6FE1CB0920EB09F20B92498E5B24164BBA77336BFB2BA1B6837,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650731Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:49.457{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=179ECF576A47A749ED0337D156D5CF6E,SHA256=D5A56C3F2EA306AEA7E02063AEC18BDF5F9EE3F8E7EA3ACA2A129A0DE325FD22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650730Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:49.316{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4EAEB9D0775372D691D5561A567902F,SHA256=FD2180212F1EB82D29408E6F11CF3D02B8B765AA3F1554F30B3A1052A37B8AAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650729Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:49.316{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650728Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:49.300{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650727Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:55:49.285{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-aztenants.json2021-06-03 13:55:49.285 11241100x8000000000000000650726Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:55:49.207{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azgroups.json2021-06-03 13:55:49.207 23542300x8000000000000000650725Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:49.175{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=195A4410BA5E3CDE7D68587A7E7222E6,SHA256=641E8814383A927B569A6D0BA6C92707118E723A3CDE10751ECC31D666DCA08A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650724Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:55:49.097{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azusers.json2021-06-03 13:55:49.097 23542300x8000000000000000650723Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:49.097{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14E4A666AB43C980D68EBD0A934B6F14,SHA256=C18870116D96D3DABC73DB07558425DD3918FBBEF3FD9E61FA66326D435E7D9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650722Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:49.035{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86084CD48E951F812E9E3DEE6E5F223B,SHA256=22B565B5FAEF36481F3F4A2D4E5A28438E60BF1654486B2FE56CB4E9918AA4DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000596012Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.886{97C2ED32-DF66-60B8-6458-00000000C501}53962064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596011Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.761{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DF66-60B8-6458-00000000C501}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596010Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.761{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596009Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.761{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596008Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.761{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596007Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.761{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596006Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.761{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-DF66-60B8-6458-00000000C501}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000596005Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.761{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DF66-60B8-6458-00000000C501}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000596004Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.762{97C2ED32-DF66-60B8-6458-00000000C501}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000596003Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.745{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD2C1308A4431C98451AD34AD5F781B1,SHA256=E9A996552F4BD69B754220CFF6260E20E1919BD386D5AFC33AD3958FB015080E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650747Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:50.878{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650746Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:50.878{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650745Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:50.675{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5A23A1761CEEC89B28C7AF3A95CB062,SHA256=7403480FC4866DB073A49C754F3755C3C6DC2C30D677C33844918EFF2EB1119D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650744Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:50.660{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650743Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:50.644{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650742Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:55:50.644{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azsubscriptions.json2021-06-03 13:55:50.644 23542300x8000000000000000650741Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:50.535{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2723321032E0EF1A89CB5AB11007E3D1,SHA256=A4EA37CDC4306CE13350887F8696F025D45D9B6B94846A63D58CD5F49042BC6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596002Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.433{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B54827C6F584320784CE09155819ED2,SHA256=9AB5694FF51B52F4FCBD0E5FA0F528BD24819E4526A39EB3DE2978AEBE2E32DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000596001Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.230{97C2ED32-DF66-60B8-6358-00000000C501}57001468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596000Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.089{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DF66-60B8-6358-00000000C501}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595999Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.089{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595998Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.089{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595997Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.089{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595996Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.089{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595995Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.089{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-DF66-60B8-6358-00000000C501}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000595994Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.089{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DF66-60B8-6358-00000000C501}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000595993Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:50.090{97C2ED32-DF66-60B8-6358-00000000C501}5700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000650740Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:50.050{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B473B574891362794E930C5602D5230,SHA256=23401FFDC6EB518069B421FC97B41642793D7E8C2CC87B36333D821299AFE67F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650739Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:50.050{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9BA1AF77F1067DE927BE1180EF8F8B65,SHA256=9EECB237BD5F9142FDA9BBFCB8F4CC9606814E9709F21E8DC4812FE171597351,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650738Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:45.618{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50046-false10.0.1.12-8000- 23542300x8000000000000000596024Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:51.886{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C983877BE9D8C8C03C7B31B0A4E4397,SHA256=3F1A5924B5567FEFF28FD14359DEA6A5FE3C8A0EDF2071DED80F8AA226246B35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596023Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:51.761{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE1E0833AD837D21C004B179F31FC52C,SHA256=3C0324A778CB6541E9B71C72AB9536A9032988CBC73A04543514CE11FD5D0EF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650754Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:51.816{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650753Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:51.816{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650752Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:51.660{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCBA87880B7D1F60D58BA35F00F96794,SHA256=D083462998F642F4A789D300E5792286B79C53CAE297280516A3B09AD0C96A9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650751Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:51.660{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=23E2FC858ACA39D6B2704D60CC6CBAB3,SHA256=CB1BDEC0F745E2C6C4832B53DE0FBE2663B111FD8007228D07A2B495860E8B12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650750Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:51.550{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=175ACC7B6F6FA4177540754DF1C360F0,SHA256=15E27D0D2F03C8D063216027D08AEAEA676C64E86666A8AD93C1180F32C0C4E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000596022Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:51.433{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DF67-60B8-6558-00000000C501}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596021Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:51.433{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596020Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:51.433{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596019Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:51.433{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596018Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:51.433{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596017Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:51.433{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-DF67-60B8-6558-00000000C501}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000596016Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:51.433{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DF67-60B8-6558-00000000C501}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000596015Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:51.434{97C2ED32-DF67-60B8-6558-00000000C501}3424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000596014Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:47.076{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49805-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000596013Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:51.120{97C2ED32-772F-60B6-0D00-00000000C501}788716C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0C00-00000000C501}724C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000650749Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:51.300{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AB0E254BD60460AD2D5DFB32129AEBB,SHA256=9E616BD8A5CC9FF02FD3C8CADDF6BF6BA0994037523AC0D85B088D20A604E4F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650748Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:46.859{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50047-false13.86.219.80-443https 10341000x8000000000000000596041Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:52.761{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DF68-60B8-6758-00000000C501}1220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596040Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:52.761{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596039Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:52.761{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596038Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:52.761{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596037Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:52.761{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596036Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:52.761{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-DF68-60B8-6758-00000000C501}1220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000596035Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:52.761{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DF68-60B8-6758-00000000C501}1220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000596034Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:52.762{97C2ED32-DF68-60B8-6758-00000000C501}1220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000596033Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:52.761{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4FE2F6EFAAD1923C0995E1ACD02EBF9,SHA256=662BA152369B4624A17EB4C03DF2DBF00225CB21CB9AE9A51ACADD17F14E56E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650766Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:52.847{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CDC47DEC4C91A98034E7ED6611D6AEB0,SHA256=A6EEFBEE3D9FBEC80D2F5B50BCB8003EF19F20450A8463527327A8308A4EC73B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650765Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:52.738{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34B9D7B51EC092B0A4631E5E99AE9212,SHA256=B4BEB85DED709A559F99E482659297E0E16F13084A354443D7424963A550BD3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650764Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:52.566{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F94C5443C7F2BB64938A3CADC3706B52,SHA256=80C71DF79E845EB22B447FD1FA19FC576BF1D67CA0BDF50BA959AE7EF922C561,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000596032Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:52.089{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DF68-60B8-6658-00000000C501}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596031Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:52.089{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596030Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:52.089{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596029Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:52.089{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596028Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:52.089{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596027Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:52.089{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-DF68-60B8-6658-00000000C501}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000596026Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:52.089{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DF68-60B8-6658-00000000C501}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000596025Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:52.091{97C2ED32-DF68-60B8-6658-00000000C501}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000650763Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:52.488{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650762Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:52.472{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650761Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:52.285{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=367E7A75523CD24DC9E288C92B1C012F,SHA256=250D1D5440C42239F0840A2C63C9B31C968271ADA7B331650B28CFE34215AE18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650760Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:52.269{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650759Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:52.269{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650758Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:55:52.269{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azresourcegroups.json2021-06-03 13:55:52.269 354300x8000000000000000650757Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:48.204{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50050-false13.86.219.80-443https 354300x8000000000000000650756Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:47.342{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50049-false20.189.172.0-443https 354300x8000000000000000650755Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:47.191{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50048-false13.86.219.80-443https 23542300x8000000000000000596052Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:53.792{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF73EB57F3D276AD9F8D858EA5778E6F,SHA256=DD781F8EB455606B65DF61BCE2545272D43DEA9F09CCF1A7F47ABF03183E8409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650779Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:53.785{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650778Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:53.785{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650777Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:53.691{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C109E63B754120A9B1D60DA97464866,SHA256=F74B8EDC71ED3D4B86090C154A0D7B1C329FC72B055FE0A00E75B253EFB5F701,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650776Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:53.582{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650775Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:53.582{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ED0B97DB33DE0CA1DC1B3A841B93B12,SHA256=2AC3078D1E8BF0D13D4BC086C2671538130AC17D7C45B9CF1283346BBA722018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650774Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:53.582{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000596051Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:53.573{97C2ED32-DF69-60B8-6858-00000000C501}51603468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596050Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:53.433{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-DF69-60B8-6858-00000000C501}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596049Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:53.433{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596048Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:53.433{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596047Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:53.433{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596046Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:53.433{97C2ED32-772F-60B6-0C00-00000000C501}7244832C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000596045Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:53.433{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-DF69-60B8-6858-00000000C501}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000596044Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:53.433{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-DF69-60B8-6858-00000000C501}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000596043Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:53.434{97C2ED32-DF69-60B8-6858-00000000C501}5160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000596042Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:53.089{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90C441A1A022FDE945087A60C5624B8E,SHA256=435ED585171989470174A4C4B31CDBD47B1A685B9463389BA04B095DDEDD3F95,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650773Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:55:53.566{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azvms.json2021-06-03 13:55:53.566 23542300x8000000000000000650772Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:53.238{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30C2BB01C53AF96BD55AAF807F41FAED,SHA256=3CE686C2FBEE81EB7BB81FC549EEDBBB2C59EB3DA346EF353B5E9B75D8FE5C71,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650771Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:49.370{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50053-false13.86.219.80-443https 354300x8000000000000000650770Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:48.584{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50052-false20.189.172.0-443https 354300x8000000000000000650769Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:48.434{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50051-false13.86.219.80-443https 23542300x8000000000000000650768Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:53.019{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650767Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:53.003{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596054Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:54.792{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AF7160842EADD047D0B61407AAC0CB4,SHA256=A0664DE194F0F673A66781270A7831F92BFD4F7AC7DEC9A16F44D9A7B231B3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650790Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:54.613{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE5D355518621993CFE1C6296CF53371,SHA256=49842AE7C0ADFBE6D03BDCF1DB9D34148B0AE970BADD8696092A2F79157A6AD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596053Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:54.433{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18B93F0AACB768EF4CECAC4E8A7DA95F,SHA256=5EC31688FF0118630F6CE87A0BCBE91519590B19F3C3428E05F512A93EF1569F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650789Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:54.457{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650788Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:54.457{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650787Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:54.457{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650786Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:54.441{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650785Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:50.293{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50057-false20.189.172.0-443https 354300x8000000000000000650784Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:50.034{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50056-false13.86.219.80-443https 354300x8000000000000000650783Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:49.826{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50055-false13.86.219.80-443https 354300x8000000000000000650782Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:49.533{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50054-false20.189.172.0-443https 23542300x8000000000000000650781Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:54.144{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEA20C80A3A500F54C6D6C4D0BA458FF,SHA256=30FB13B474962B4ABD79C6D3DAEB6FB810F3EC59F49210597C45ADCC70857A4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650780Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:54.019{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=01EFF2EF3968D32D44B9BB2220004633,SHA256=625BDBA89184A8889BB80839E1E4736DD90194C7DC07F2C2338F0F184786EE67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596055Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:55.823{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B11D7CB21E1E1D62334B92FD978AA193,SHA256=A694054269DB0F93A8BA58F2CDC81987AF5E9D59DED5CD8BAB49050FA43FC9FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650802Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:55.847{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650801Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:55.847{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650800Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:55:55.832{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azgroupmembers.json2021-06-03 13:55:55.832 11241100x8000000000000000650799Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:55:55.723{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azgroupowners.json2021-06-03 13:55:55.723 23542300x8000000000000000650798Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:55.628{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D248BAA2B6704C254226C7975ADC592,SHA256=CA9D246559C021AA4D39959C16A74F4EF95A95C9972EDB58C2D009762834E200,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650797Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:55:55.597{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azdevices.json2021-06-03 13:55:55.597 11241100x8000000000000000650796Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:55:55.488{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azkeyvaults.json2021-06-03 13:55:55.488 23542300x8000000000000000650795Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:55.488{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2C9BDBA1100992C32C538314E4A0B2C8,SHA256=35E567E2813CD72BF4AF5870387DDC2BB71AE2E9E711DABD6F9130C6074AC44B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650794Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:55.394{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E39BA2F7EE236174AE5207EF0520911,SHA256=64818B5373DF510108DC05522B21123290B2D8F0BADECC86D3CAB59C4E9A9E2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650793Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:51.131{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50060-false13.86.219.80-443https 354300x8000000000000000650792Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:50.716{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50059-false20.189.172.0-443https 354300x8000000000000000650791Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:50.564{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50058-false13.86.219.80-443https 23542300x8000000000000000596057Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:56.828{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE5C2F167397FDC63667C80A97D240D,SHA256=3470DA25836ECA5D7FACE24F2D64AAE8FCF6DDAB0F95A8FE527C4F07FD00A678,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650815Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:56.975{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47F88B97BA8CF70F400CCDD8FCB05B7D,SHA256=250FC8FF686EAE3E701DE874E503249D7CE9994247437BCE20F4176E4188DE49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650814Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:56.881{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04931F0F3B79F4DF0FA9A78707794AE5,SHA256=8CF5DF67EFF5B937D723169C642DF44377FB275873282695CC00D24F0A9F8843,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650813Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:56.803{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5C60798CE5C4EE5EC4DF5B841445BF7A,SHA256=A7B6BD020411E4293BA627E97BAB9FED9B4551C6352D7180C5376FA554BBB7C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650812Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:56.803{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97A3339C029A3ACE8DD51DC69256CC33,SHA256=237992AE29B7DF6789F94FA9691A6951BE0EA06497FAF0046275F96996BEF7A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650811Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:56.803{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=819CE797A42C793BB5548843CE222298,SHA256=3BB6D339931977D49F7D93BD2D63FFD67D88CD4B28A37D832689708C29D90295,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000596056Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:53.060{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49806-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000650810Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:56.584{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650809Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:56.584{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650808Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:52.012{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50064-false13.86.219.80-443https 354300x8000000000000000650807Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:51.617{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50063-false10.0.1.12-8000- 354300x8000000000000000650806Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:51.484{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50062-false20.189.172.0-443https 354300x8000000000000000650805Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:51.337{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50061-false13.86.219.80-443https 23542300x8000000000000000650804Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:56.051{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650803Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:56.035{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650823Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:57.913{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650822Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:57.913{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650821Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:57.819{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AB4C2C758C448EE30947B5D8AD3F46C,SHA256=2ED929322699D57EDEF9783F90F6EC41FFB67E170A623F57EE9CCBA871191233,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596059Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:57.828{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F98308349401C208935EBCD45FE27D15,SHA256=B5EE58E6AC67D97152A0F6BB075F453715EA52085018FE42B0BEC76CDC5307DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596058Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:57.328{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650820Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:57.694{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650819Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:57.694{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650818Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:55:57.678{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azvmpermissions.json2021-06-03 13:55:57.678 23542300x8000000000000000650817Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:57.600{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB84A3A726471C1AE33FDB573C393900,SHA256=E62946248022532B55232FE3D4AF56A18AB19965789919E794884043B6E45E3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650816Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:52.183{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50065-false20.189.172.0-443https 23542300x8000000000000000596061Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:58.828{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FA3E2A102686AE287EA1009166FF721,SHA256=5FB0648BD14D0A176D4EE5FB75CF919610AF8BAA814E9591E15765F76CF4F637,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650829Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:58.537{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650828Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:58.522{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650827Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:54.131{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50069-false13.86.219.80-443https 354300x8000000000000000650826Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:53.744{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50068-false20.189.172.0-443https 354300x8000000000000000650825Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:53.593{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50067-false13.86.219.80-443https 354300x8000000000000000650824Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:53.394{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50066-false13.86.219.80-443https 23542300x8000000000000000596060Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:58.328{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4530778BCBD2D990DC123D08E2E4019,SHA256=13606329C4D30BBB9D371529C13AC19497041A92DB5BE098D0F0AA95220C7344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596063Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:59.844{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C84B036A1D0FACA0D47223BFF12BCE41,SHA256=70A3E86B6767781DC95DC4F7E4D5B5FBBCF518DE5A12D3B57BA53FE098786C62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650840Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:59.537{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650839Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:59.522{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650838Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:59.319{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650837Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:59.319{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650836Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:55:59.304{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azrgpermissions.json2021-06-03 13:55:59.304 354300x8000000000000000650835Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:55.462{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50072-false13.86.219.80-443https 354300x8000000000000000650834Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:55.241{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50071-false13.86.219.80-443https 354300x8000000000000000650833Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:54.278{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50070-false20.189.172.0-443https 23542300x8000000000000000650832Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:59.100{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B125A7AB276C7DAD57E367ACB2222EA,SHA256=45BC7B1093D1AC2182B492F77161F8DB66A6C235F9D7D1B8D98100259E8A3D50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650831Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:59.100{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=16F7A316ED6A3394DBBC51E60E698F54,SHA256=B72D6882F8E6EAB653B967F5CB9B808E93A495097A30DC254A3956C77988CBD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650830Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:59.100{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4F35E204FDDA25319A7530DEDF9ABA6,SHA256=1EDFA45563A526EE47E32152E59A95B11FC084295F8028914A5341BB7975E199,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000596062Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:56.143{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49807-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000596064Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:00.860{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8356CF3FA77E82B11137D4F07B73A340,SHA256=36A05759B7ACCA01FFB2D2D0070F66A53883BDDD3BC401B2DCF936F9FD688B96,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650853Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:56:00.928{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azkvpermissions.json2021-06-03 13:56:00.928 23542300x8000000000000000650852Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:00.741{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4AF56872689C597335F265AA9643CBA,SHA256=A1D59E311994985DBB5FFB33EE5C48EE0D0EE807E3174538E40BC0E823AC888A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650851Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:00.459{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650850Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:00.459{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650849Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:00.459{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650848Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:00.444{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650847Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:00.366{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6B792ECD6057CBBEFECE8D237C4647E5,SHA256=E27AC33710424436F85E7E1CE19092781C58379847B6F13EC080672A224DE07E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650846Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:00.287{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650845Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:00.241{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76E62D23E372935142B3A0639FA9538D,SHA256=81E072DE73715D82BEC30425568CEC97584D17B07259FB9A6ABEC7F6674DFA1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650844Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:00.241{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4BBF70B982DAAEB8F51DC0208523147,SHA256=64375AAE4054AB37B18459E867D5703C683143C09330839FC27DAD377B62B6F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650843Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:56.210{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50075-false20.189.172.0-443https 354300x8000000000000000650842Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:56.080{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50074-false13.86.219.80-443https 354300x8000000000000000650841Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:55.624{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50073-false20.189.172.0-443https 23542300x8000000000000000596068Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:01.907{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=256AAC235F44F59E7A774E29E7BDE3CC,SHA256=08188A8D51DA27706A80B832B59C918AF4F9239A141B5CEC9C013CC698CE6778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596067Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:01.875{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1CE5B86286015D34DE3523EE1E76D61,SHA256=22858F1BDD085D3EE6B1076517B0E63EA1DC630136BD66ABD0FD30367EF6C03F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650868Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:01.866{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=056AB5618C80356B2D0D841886810831,SHA256=1E9FCF1C5D9B6DE4578A1548D3D90EDB92B1A34D6CBE777AF6A5856F985C4829,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650867Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:01.506{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3E87324AAED244626C144E359EBA4DAF,SHA256=7903CC550B6EE48F83E9916D3E48297EE801CC09A0A6B12961C7F803040E9451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650866Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:01.459{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650865Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:01.444{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650864Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:57.237{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50078-false20.189.172.0-443https 354300x8000000000000000650863Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:57.081{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50077-false13.86.219.80-443https 354300x8000000000000000650862Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:56.875{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50076-false13.86.219.80-443https 23542300x8000000000000000650861Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:01.225{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650860Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:01.225{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CABBB5732C68B929856EDEA7F15C9A8C,SHA256=3F6238C7550E275FE20B8BF1ABB3ECF7E2FD3EB146FE98B53C6A94F83A21674B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650859Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:01.225{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\.IdentityService\msal.cache.lockfileMD5=B05E54219EFFBF26C72C743E91245723,SHA256=69DA47BF8A5D03851AD05315692E527443728CD34DEB015384B87871163FC7E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000596066Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:55:58.957{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49808-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000596065Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:01.125{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FCDFAB9ECC84E2A7D3667B393C5EB101,SHA256=A0B01B8A612A3F47FFB6AC19E341539A9C2F09C80F311488D9EA59378CE874F2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650858Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:56:01.209{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azapplicationowners.json2021-06-03 13:56:01.209 11241100x8000000000000000650857Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:56:01.131{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azprivroleadminrights.json2021-06-03 13:56:01.131 11241100x8000000000000000650856Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:56:01.131{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azglobaladminrights.json2021-06-03 13:56:01.131 11241100x8000000000000000650855Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:56:01.131{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azgroupsrights.json2021-06-03 13:56:01.131 11241100x8000000000000000650854Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:56:01.131{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azpwresetrights.json2021-06-03 13:56:01.131 23542300x8000000000000000596069Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:02.922{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A04355BDB9F25E5A1DA6C3220BF44EB,SHA256=57B09A4902FDA6DA6918A4927C7F84E95C444BEB137B3C5ABA548095611D1C3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650875Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:02.928{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90F08FA3111094EDAE6DC609C0A5BC58,SHA256=53B3BC8B385F7DB13A794D00EFF42C059A3B743F6C8052526FF013776B145636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650874Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:02.678{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2EF860CC96194340B99999860BB40400,SHA256=03EA1FF5A473CA8434F775A9F5AFE40F0B9BD582EDF2ECC213D55646707B96EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650873Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:58.192{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50082-false20.189.172.0-443https 354300x8000000000000000650872Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:58.012{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50081-false13.86.219.80-443https 354300x8000000000000000650871Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:57.792{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50080-false10.0.1.12-8089- 354300x8000000000000000650870Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:57.620{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50079-false10.0.1.12-8000- 23542300x8000000000000000650869Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:02.225{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FC747E22AFEE4ADF0C44CCF9CE0EA50,SHA256=1189E029575E0EAA42F74725DF9E07DB7216D4F463C0339839CEB0665414140B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596070Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:03.922{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ECF0E90FE2E544EEBF77E10785D24D5,SHA256=AD9E1FA46433E9EC05651784B687D788FB070789040E6B789E26C3D9FA205BE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650904Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.881{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azvms.jsonMD5=1BC81925A20C7F096502DCA2C9C47C9C,SHA256=6322AEC107856D523DC0EDA6564DD3643E3F8F4F11C5398BCF5BD2905A6E0C29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650903Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.881{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azvmpermissions.jsonMD5=7A47EC350D1D2133DAD1DF478C97CBD4,SHA256=4FBBBD5F5C6D609250940B7F785EBBE1CCD853887C752B6075B2651031067D0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650902Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.881{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azusers.jsonMD5=E144CFAD0FE3AA7EACBF3CA8FDC88182,SHA256=7C5C4DB0398C3A18AED6DA46B358D137B847E783ED1F9F8B839C0B5654C1CED9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650901Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.881{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-aztenants.jsonMD5=D1D52BE3FA4CE6E2D2382CBBE77486E9,SHA256=6E5AA4D5B464D55A65D95FF36675321A8316B2D6ADA9DBFDCDC504E5744A7BE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650900Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.881{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azsubscriptions.jsonMD5=5B499DC9AB3282214FEF6BCF0843A8C7,SHA256=8B33B8615ED1EA02DD47577B19D8EE2398FAFACF56E33066B778A0B86A151D7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650899Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.881{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azrgpermissions.jsonMD5=6EA565ABCEBA55D19CF97E4C96E60B5D,SHA256=7052BDB6DE23B7452F9EB22362F8259C8484735656BA04183E4BD0B8E77BC248,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650898Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.881{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azresourcegroups.jsonMD5=F6EC60B82A1DB86C4B8766CC6EB167D5,SHA256=6BDE29AA2214694A25CF1985C780E3274CC15E5BF2F9D3ABAB66D5D97E3F09D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650897Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.866{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azpwresetrights.jsonMD5=D4FA697B3330E334F135E70BD56B1727,SHA256=7BC07A457B9DDD01D44E882740CA583F370D31CE7490F40948552D3A47AB6827,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650896Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.866{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azprivroleadminrights.jsonMD5=F78CA8D8BDF80D01E74ED7287665F1DA,SHA256=D693916C72B4F996FAB35A085C3378CDF188F376D40C4D894CBA74068DC23CCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650895Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.866{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azkvpermissions.jsonMD5=9C478B11F7528FB3BAA8F4993BAF70B7,SHA256=A92449DED51E6EB4FF14ED36D24EB8A00052F2B69487F851BD05134F5D5118E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650894Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.866{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azkeyvaults.jsonMD5=4100B70CD1C1DCAE2715B81CE21345F2,SHA256=93D6F2CB90BDDA1EE8CF7372FBBC13D2BBD4E83F7B7B946C8D00216362234AC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650893Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.866{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azgroupsrights.jsonMD5=C3B4A2BB61E6CFC06AB06FC89F3C9805,SHA256=350766AC6EB1012915C4D553E4B051B9108281880704FEE57B9C565624E7D782,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650892Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.866{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azgroups.jsonMD5=2084BBD7754D35067B150A0B3D8863D9,SHA256=EA31AE8F35B76AD4AAF4B6194992E174636CE5AA07F61F17B9EB44DC734EED35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650891Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.866{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azgroupowners.jsonMD5=601630A1338D5A321681E8EB6D669E70,SHA256=6BFE453149EC66EBF11BCB4FFC035A3BF20478F3D42FF3CFBB25DF844176D5B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650890Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.866{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azgroupmembers.jsonMD5=CCE2966BE725FBFFC01F218D2B4698F2,SHA256=8D5590A1636B35F1032D6DD8B40CD40CD8DDFF820EE9EA4971CDC03ED188CA65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650889Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.866{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azglobaladminrights.jsonMD5=B8309D3AA5D04E8B9F46A80A3D9082DD,SHA256=4D131E8A1123E337F8FAD05B116CAD47D010C264BA5534C207DA2C2ED83DA011,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650888Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.866{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azdevices.jsonMD5=6E0B808FAA0CCC7E25CEFF3FE2544ED8,SHA256=E86924891B7B1B68EC5C24CAF380E86D474FBDCC381B0A5703A61BFC62065B16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650887Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.866{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azcloudappadmins.jsonMD5=78B89398A676E37D525E6732E8A4D662,SHA256=B7260D16327367A0ACC67E423EE3DB2E43303A874966F58E04A62124DCDDE9F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650886Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.866{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azapplicationtosp.jsonMD5=152DFF62532242B467136D9FA375580D,SHA256=AE43BB0860EF7B14646EB45E24A7371470DC087F19009A046A6F57CBD7C1AA1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650885Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.850{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azapplicationowners.jsonMD5=6AA018EB96650197815AE716B0942412,SHA256=55664B3231D64DB9A54A0844C028828C9E5F8827126D10DC5D5B8C09A0CB04CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650884Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.850{D419E45B-A18D-60B6-EF0A-00000000C401}3200ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azapplicationadmins.jsonMD5=FBD267B18D994FFD0670FE0D66079195,SHA256=3276C01CC052BB3666FD4B67A63E9B6042FB15409885D40A766BA37888D49E35,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650883Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:59.359{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50085-false20.189.172.0-443https 354300x8000000000000000650882Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:58.993{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50084-false40.126.26.131-443https 354300x8000000000000000650881Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:55:58.766{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50083-false40.126.26.131-443https 11241100x8000000000000000650880Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:56:03.272{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azurecollection.zip2021-06-03 13:56:03.272 23542300x8000000000000000650879Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.241{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E6D0109CB12F71978094B4EDBD31FD,SHA256=926135D7672B2734D666BFB45A752C59804A70946DA5981154F2F8F6727763DA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000650878Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:56:03.194{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azcloudappadmins.json2021-06-03 13:56:03.194 11241100x8000000000000000650877Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:56:03.178{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azapplicationadmins.json2021-06-03 13:56:03.178 11241100x8000000000000000650876Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.localT10532021-06-03 13:56:03.163{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Temp\20210603015548-azapplicationtosp.json2021-06-03 13:56:03.163 23542300x8000000000000000596071Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:04.938{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32AE11913AA7936CD0E369C368779F2E,SHA256=0F22A803CD1BE90AEA8C45D1985DA452BC99CF5971386E2E2D992FE82FEF41D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650910Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:04.616{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E4DE7E910A5D77BB1898E38F817D08E,SHA256=926D2FACB9719EEAC5BC6118C10889FA3B75B548BEFC281FED14B8795229979C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650909Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:04.553{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EB90913EF72B958B9569F56F9A4E144,SHA256=9ECEE4E42674E2836DD53C0D6D0B192B4CF3DC9D280DAB6A1622306E232BD815,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650908Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:04.491{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B91EB9FA8FBE2C589F245E92B6D9622,SHA256=821EDA587A89EB0AC6BDCBFC7C3D1C2C8466787442AE2423663228740639DF55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650907Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:04.428{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2B988A1B7DB5623AA82DCDFB6AA31C08,SHA256=10D0D196E6CE1F13996C217219A94FF8E704CD4E75A8C76F9584FDEA2DD92E3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650906Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:04.428{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BC069878A8EAA53E8F929E0D168B8AC,SHA256=19C81E1C654B50A4BA830D7376D42F2DBA18397EC34B6C038B4CA4284389D054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650905Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:04.428{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE5BC0400E97D72FF3C80C520523CFEA,SHA256=423882AEBE59580065299BB7CA89ADB7DC777923AF557D2568DA6CA957641196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596072Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:05.938{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC86641B670968011CF0C0826A4E81B,SHA256=B51F3B029582FAF110D15D1A468AF4E9420DFC04B21187AB6D1844445F4B12E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650915Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:05.444{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85FE516A758E0AFA3BC0079FD178EF92,SHA256=0C5F0A82A6E4319CF135030D9E6D1D4C35BEF72FB5A0C53808E0BE20713B29F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650914Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:01.605{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local50087-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000650913Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:01.605{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local50087-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000650912Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:00.312{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-233.attackrange.local50086-false20.189.172.0-443https 23542300x8000000000000000650911Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:05.241{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BC27D8F390AC29FD44134AEFC595008,SHA256=B8E4AE2EE9C92F53E488B6AF252CE1489DD8B7988D430089EC8568AE9F9850E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650917Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:06.600{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B0D97DFAF0FDAC9A072CA283EF1C1CC,SHA256=C9A5DF5412CF7A95EAC1DF0AB1258F495D90BAC3ED145C4F0540EC386D61D00B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650916Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:06.600{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1349A19FE54CD26AA1E6E97595D8D0F1,SHA256=F570189893697D1A78ED6A6A5631709D2E873FD4DF67BD2B0E6EF5A3343C2211,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596076Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:06.953{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0844E45A484D591F4F1E00B014F157E,SHA256=19267175A6A750FED8DCDA60FFC007E60CF1141264480AF4D80E6B73C6D810D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000596075Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:03.987{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49809-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000596074Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:06.188{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=439B2F7872A158F65BD18A10FBFA08D6,SHA256=36FBE70BBB922950A5C893B7ED1CBFA49FAE0FD1B4B71F0FF925A84D26E80C58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596073Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:06.188{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C85AED24BBE729478B3C0A8EB36B2604,SHA256=5FA20B634471B57A78E22BEDDC1D30D98C45304E279AA6C9938AEFBF085A31B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596077Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:07.969{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30DC08109E1CE34FAC84733BFC232AC1,SHA256=18372FC7006EF1B7F16970424DB84D7CF3B6DDCF69B7B6688C3C52F7B343B8B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650919Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:07.834{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46A3AC1DBF03DB4C0783CBC3964FAC52,SHA256=6901BA7CB01A1F0CA95C8CA71B7FE874408F7BF30A1C597A210FA0CB4F988F01,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650918Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:03.589{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50088-false10.0.1.12-8000- 23542300x8000000000000000596078Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:08.969{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFD355356AEB494532CC71E748A03FEF,SHA256=0157E0BEC2DC9C889D9B2D72FB77EEB9ABE5DCCF1990DFF9EAFFD59170934452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650921Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:08.850{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEDDE40F6E2823CA3ABE5C008A7F06E7,SHA256=BB85696A6D8A50097D2396907C92DD554C9AF5EFFEDC7E13BBB47FF5880CD517,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650920Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:08.272{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C5C8AF71324BB38801C1E68A5517210,SHA256=141B9E3515194B2C2F0685864C1DD8AFBF474EADA33AD8AB265591AB977DE6EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596079Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:09.985{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26AF48A2C69819BD809ED014B7A2F63D,SHA256=B228A4B4267F2540A4055059C44B7E422CACC8C1A51D14CD322BEF8FABDF0739,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650922Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:09.303{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F40AC16034B25A4F0161308ECD2D232,SHA256=758266EFC7CE29CF0C9C1AF833399E3115A732C1DD4E0EB4236F998F4DCE3103,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596080Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:10.985{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54C4A680BA078A08BCE60AB573D5CFF5,SHA256=C8E8309383FDC3B5363C72E60D0AD07729E6C2E05B97EBBEDEE96F9AAA76CCA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650924Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:10.553{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D89BC14894A558CAFBA2EAAB91E23F2,SHA256=4303FFC0ED49064940A9C4A63317473465BEA26B79BDDF4931B2B4A687BE6071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650923Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:10.084{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7CD3AC4AE294581E9C7ACF8269A0214,SHA256=FB009236F715443DCD82512078A32529D5331CE1742DCD47EC95372FC36FE01A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596081Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:11.985{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E2131036C5E4899D381FD912416BAA8,SHA256=527BC82EA0DBCB323ED959378345D799345C0B9D3BA605BE8CB3EF47D06D5D07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650926Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:11.803{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F5F127F8FA521DB1A31509E7930587A,SHA256=714AD503C2ADC74C618420ED2301E69B4FEC9A8B3876084E037A311D5D81A72B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650925Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:11.100{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2606A38875EB88E3E991025FBF5DDE45,SHA256=0DE47F7B1BB188E4E41688239A7C0950AF7EA1480E2A4E47EB0A9493A96D533E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596085Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:12.985{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8AA239C8791BF27FCE73A7BA201CD3A,SHA256=CECB6836A94E141F6277EF359CD40776530ECD2774C4D6ED7CDDEA7806719713,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000650928Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:08.682{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local50089-false10.0.1.12-8000- 23542300x8000000000000000650927Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:12.100{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89847F1D5B73FEA21905A71B9EDD0EAF,SHA256=869BADD5F51232E70474686786130E10DDB811F1C04F8CFCC917E52CD7D3C001,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000596084Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:09.971{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local49810-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000596083Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:12.219{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C778B4F20C337BDF25D10DACEE3C7D80,SHA256=C61CF25FD00B318263CD2E1FA2948BADA4D6C8DECE9C09A52104C60165472734,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596082Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:12.219{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=439B2F7872A158F65BD18A10FBFA08D6,SHA256=36FBE70BBB922950A5C893B7ED1CBFA49FAE0FD1B4B71F0FF925A84D26E80C58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650930Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:13.209{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DABA3B04DEA8EFE745C1829E86037136,SHA256=426FE8558047CEF4CDC3C49B82D2C5FA9CA574CC03CB1441B854D215FC0D3A2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650929Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:13.131{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3435E0DDCA56E1305E891C9FE3D009D0,SHA256=D34B796B73FDF9F9E25355B56418B5BE8F78A6A55C338F52A5158AD7E2A2CBFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650932Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:14.475{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AE6EE84059660246D904D575704692A,SHA256=6B4A865B488E389F03454D0FBB55D6BC6FF6F50D58A79A2E3A25EAE8A217C495,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000650931Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 13:56:14.178{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74748BD898B9587081938F3AFE7BC358,SHA256=60AE6C7162F8A7F473DAF57D42406F4CB504B3F82BA55D8C45A179A4E8C8534D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000596086Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 13:56:14.016{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FA4A2BC85A7D732CAA56C2ABDAF25E1,SHA256=4A0A3AC0EE1D6E5811F6FA51A272817A5A39556526955CFF3EA61B7992F02ED4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683285Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:31.662{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65026-false10.0.1.12-8000- 23542300x8000000000000000683284Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:35.948{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B5210131BD4296B70E8B216A941EE19,SHA256=9A4028A9CD1BE27707BA2035A8BF86C139077A98C057382AFBF357B112FDE3F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683283Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:35.651{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE227F8D51CB47BBC3D717670BBA4773,SHA256=1357E4CB34A438CB200A6771B6E4AE8282C786400887B760B514BBE920A97C72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623279Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:35.756{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C901C62528D98487C8BC3D9938C10FFA,SHA256=2543AEEB85970E7757445DDE793859D31B6E4E45979DA84592F7A5FE77413234,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623283Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:36.772{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=822303B694061C1337EE82B812DB25F2,SHA256=681F9C086BCECD45EF531EB53FFA2007F2A22D6CBA2F3B74BD301077EC89E9D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683286Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:36.760{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5659085DE84EA32539EB96DB17525677,SHA256=B15D89D56A5E298E3C4F105078ED20D34B86935340C1264C799AA8556D04432B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623282Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:33.962{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51575-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623281Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:36.115{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7606A73C978EF8582F087A46573F0776,SHA256=7A112B3BAA81F7DCEE70FC5D0A5D9956D10109D903162D39E7AF07F8FBEDBAB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623280Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:36.115{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B05CBAE59F8248922BE275F0A882C97,SHA256=AC2B0374298DBA288CFF175A27A7843FEC7CAF326A2B1234DDB45CBE15231EBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623284Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:37.787{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DEA0193E42618C453F74AD5AD2246A5,SHA256=A08874D8E1341545B9CF0E5E6C27B752D7FF0FD630DFCA2E27A311910AB7B820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683288Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:37.791{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0808B58D6034B32ED00BA71695DABB8,SHA256=E4F8A34EE2F3F00C3A6F98D269D23AD7FB6E9F1FFDFE9D2DEE2B9A806AA19658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683287Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:37.057{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E113E6AD3D669CCD6E0DEF5F2E377265,SHA256=830390485981E7D67B83F2BD91FD61C33A3C0DD6DB7997B96B927BEADBB0181F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623285Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:38.787{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14A7BD0CBE761195EFC4457F04989F2E,SHA256=EAF839F046CDF89662DCBF9D4A1A542B8ABC5A5A699227F3FCDB63970F6AB756,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683290Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:38.838{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=060229EC56BF0EF4DE017E00AB697FC8,SHA256=C7735815BF2FCAC311A682F8B85C715174B7F5F5FB00CC945DA403386E8A198E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683289Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:38.198{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4151682E9973885DB95AC2345DEE58B,SHA256=6DD4F2A47B0DEE9A43756FA66D6604AA374BA78664F826AA096117B4D67982AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683292Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:39.885{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBEBB5FB733767B9072BCDB26ABDBB52,SHA256=0085F9A5BB6F0E3BEA2A2EB7728B5BCBD73BA6958AA56C3EC9ACB32E7A093920,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623286Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:39.803{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D758E1595DD7AC690D088C6EF831D9,SHA256=BB51B237C7D915E363F081C1587C0EF0BD9DA237189E462D14869BD20E410DC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683291Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:39.479{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7299A5DE70C0AC5820B8C4D949A00BB7,SHA256=4D010E8B156CD4D0A9C94769051BFBF95D46ED19C946CB8E5BADEA90A4F8809A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683294Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:40.901{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDBDA21F852B3B1215931155096D101D,SHA256=27BC01968510765B5FC4E217DF2799DC2375EBFEFB11622F8FF72DD38B078E56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623287Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:40.819{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A7672325DDAA9D6113F5BF447B608CE,SHA256=2D278E425F70AD8BF50CA8D891CC54A73EEDAF7B30E73EB9A1011DA2A9B02783,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683293Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:40.698{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8DC07A544B8CE3D1A0AA43E7F97EFCC,SHA256=FDFB6C9FF10A0274E618533B63B6F8643964984BFBC8CEA843F2BCCCD976B826,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683296Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:41.904{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AB672BB3393280ABA72D3CDBC26C335,SHA256=34D9749798FA0774B616481CDC8F9A82B594837DFAE5DCD8AADB40392524F47E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623291Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:41.839{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07DFC75ED73810F171A749E2E70B25A5,SHA256=31A56B3B67AE9B2EAF3D4703BF9B930734EE8B066A616101D439DF76C2B28C47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683295Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:41.791{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BA447C1BA874467E0827312FA356744,SHA256=47AB98EF779CB893DF218794E1CF33748F2672C7C5D85CE663544065C03A6972,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623290Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:39.036{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51576-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623289Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:41.209{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81D5AC9849DDAF17C1534E522CDE96DD,SHA256=C6F8A67F93C6157F83E2E2005F7918FD2C999703ED88B6E8B0260C4A5D0FD75F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623288Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:41.209{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7606A73C978EF8582F087A46573F0776,SHA256=7A112B3BAA81F7DCEE70FC5D0A5D9956D10109D903162D39E7AF07F8FBEDBAB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683299Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:42.920{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=773805C13D89B91C84CC58AC174A9FB3,SHA256=BEA3A9163E96AF173621563741E17EE770E6D69008226A3AF427D06E5C196EEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623292Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:42.839{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6871623741F7FDDF900D24AC0ED31DA1,SHA256=9B09EF1A0BF59AB9D671C483CBA1C5FA638A666BC945E53A5672615A823C4C01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683298Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:42.826{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D07EB3FA468E14F6D33D4D6EDA4BC67A,SHA256=726D07C0F5789EAFA44382879B3EBBEB4A17A503AF374D00BAB66DBAD53AB57C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683297Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:37.521{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65027-false10.0.1.12-8000- 23542300x8000000000000000683300Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:43.936{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=240AFF09DD0A600B843E32325D284F19,SHA256=B760551E17A8AEAA9F8B31307A56C59CCF8623209752ABDAEC418E0BD62AFBBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623293Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:43.855{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECA5A4DEE2F141916C0A84AF8F464617,SHA256=757B4C4A0B31D7ACC2A71D33F2FC1523EF7E27C1D2389798690130191F0F4820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623294Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:44.855{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E20D06AE194747E2D5337801C4A6D01,SHA256=5A1A29D8EA993DD0DAD5601DFCB9211C99512737FEB12823B58E12E9AA781578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683302Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:44.936{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=755CF6437D44B1050ACF5BC7617A4135,SHA256=CFAAA8AAC0F5532FEFC58B3D53FCB9FA41560669099A5B5759E17EDB70B1E772,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683301Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:44.311{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B86F760ED0C44EB18920548D8516877,SHA256=81D23A486C5F03E503075B6D5D536D72BAB8F81C697EB59A435A0C3764506531,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623295Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:45.870{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C594F017C80440E1CD27F35E56668F1E,SHA256=32F7FA15A1160D28D2C4045819530A8561F9104EB1F3B827CF1FD16B7F389B6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683304Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:45.983{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35CACB05287A0CA4AC072B8E6B237D24,SHA256=E79553954FE90C0A1A0F379D4F3CB8E5E18CC1764C9194858ABB09B0E22A91FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683303Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:45.467{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B01EA127E7B50548F06B694CC423FBFF,SHA256=F82AFF032398D59824E813A26031C54DD30A99C3649023FF4F716AE821366831,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623296Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:46.886{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F64E63FA8FB897E49D5452FDA8FC1D9,SHA256=4BF3A6003F72DF0B217CDF7587EFCA6C9E3CA1B57C7E937FF2A71694E109B380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683305Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:46.733{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=200D21C53127E88F6CF00F3018D19254,SHA256=01E37D13F152D9BD57C8E5AAA63254694158B22DED4DAB12A44655ECF79E3D89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623308Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:47.886{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E85CFA9ABC6B53D0AF72C913170EA53,SHA256=70AF9A249C40B6E03D9A3C909FB748D7747721E7A1A4575BA4F5284B2B213608,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000623307Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:47.839{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-00AB-60B9-FB5C-00000000C501}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623306Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:47.839{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623305Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:47.839{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623304Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:47.839{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623303Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:47.839{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623302Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:47.839{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-00AB-60B9-FB5C-00000000C501}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623301Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:47.839{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-00AB-60B9-FB5C-00000000C501}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000623300Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:47.840{97C2ED32-00AB-60B9-FB5C-00000000C501}4344C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000623299Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:45.041{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51577-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623298Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:47.230{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69E6DDFF2657BDBC13114C8B624419A2,SHA256=69B166F17BEE992A90ACB0939EC3F441290799BE01760B9F782B26345A95E086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623297Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:47.230{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81D5AC9849DDAF17C1534E522CDE96DD,SHA256=C6F8A67F93C6157F83E2E2005F7918FD2C999703ED88B6E8B0260C4A5D0FD75F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683307Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:42.556{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65028-false10.0.1.12-8000- 23542300x8000000000000000683306Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:47.170{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DF72147627A0CEECCB5699B1991D0B4,SHA256=8DEE51C294D5263D5D236E5E89AF9E1132ABAC6767336F4652FD8761CFA97533,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623319Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:48.886{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCE355A429FC438D66D5050857BA2A19,SHA256=29A8D4DCEA19F5B924374FC4B98D32CDB93B510E3E6A9A2EFCCA23CE37D82E95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623318Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:48.886{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69E6DDFF2657BDBC13114C8B624419A2,SHA256=69B166F17BEE992A90ACB0939EC3F441290799BE01760B9F782B26345A95E086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683309Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:48.248{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A372C10FE62016B2E16FBC97ADC0FA2F,SHA256=A334292EAF4FA00FB797BD12EF8FC7DAEE7127B51052AE30CBDC359B1914D241,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000623317Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:48.526{97C2ED32-00AC-60B9-FC5C-00000000C501}52122488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623316Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:48.401{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-00AC-60B9-FC5C-00000000C501}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623315Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:48.401{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623314Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:48.401{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623313Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:48.401{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623312Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:48.401{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623311Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:48.401{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-00AC-60B9-FC5C-00000000C501}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623310Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:48.401{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-00AC-60B9-FC5C-00000000C501}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000623309Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:48.403{97C2ED32-00AC-60B9-FC5C-00000000C501}5212C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000683308Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:48.233{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69B64F50E655E70AEC9707B68BCDB7E8,SHA256=CF167BA4DCED760F9CEAA1EA0BD18CA786DB78E6E5A87BCB16EB2467EC8BEA46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623336Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:49.901{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE5B7DD06391772368F4BA4DF20BB9E1,SHA256=5E8B1637EFAE6A280186DC82D2BDF8AA2ED79492FE6B6DDDA5B40F2BA3AA0EF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683311Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:49.358{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1EDC52FFB27A520D6DAA64E6A1F4D7E,SHA256=FC4DC63AF72D10E78DEDEB4D3203C1FD2F00F35A8537CD1D7DF5C5D3FBF76104,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683310Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:49.264{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86CC6D97645457347706FB25642FAE3A,SHA256=391EA469F1FF51F6E3732EF223F5441105B4430523BC9B4BE9546642A7F77608,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000623335Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:49.698{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-FEB9-60B8-B85C-00000000C501}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623334Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:49.698{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623333Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:49.698{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623332Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:49.698{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623331Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:49.698{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623330Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:49.698{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-FEB9-60B8-B85C-00000000C501}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623329Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:49.698{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-FEB9-60B8-B85C-00000000C501}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000623328Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:49.699{97C2ED32-00AD-60B9-FE5C-00000000C501}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000623327Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:49.027{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-00AD-60B9-FD5C-00000000C501}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623326Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:49.027{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623325Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:49.027{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623324Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:49.027{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623323Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:49.027{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623322Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:49.027{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-00AD-60B9-FD5C-00000000C501}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623321Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:49.027{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-00AD-60B9-FD5C-00000000C501}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000623320Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:49.028{97C2ED32-00AD-60B9-FD5C-00000000C501}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000623355Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.917{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94579E6B1F9D78D98F3D30E8FE87950E,SHA256=C48E06773AE8F86DF096DFB57A0E1A5111C9F7F9016B0144E5C3255364F6ABED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683313Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:50.498{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA5ACF40965BB17A3ECCA446BD9D6BF5,SHA256=DC322905E98F5B0A95141E7CEA8BAB11944CA99069901696A0FD10E491B19FED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683312Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:50.342{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93EEE75CE47EDAC95EA4E2C34B18CC4F,SHA256=D41BA7118DE48F0B22882E990B37355BA0834E19EB12407C54E930AA7EADF3F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000623354Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.901{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-00AE-60B9-005D-00000000C501}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623353Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.901{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623352Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.901{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623351Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.901{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623350Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.901{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623349Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.901{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-00AE-60B9-005D-00000000C501}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623348Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.901{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-00AE-60B9-005D-00000000C501}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000623347Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.902{97C2ED32-00AE-60B9-005D-00000000C501}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000623346Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.495{97C2ED32-00AE-60B9-FF5C-00000000C501}31562964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623345Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.370{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-00AE-60B9-FF5C-00000000C501}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623344Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.370{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623343Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.370{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623342Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.370{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623341Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.370{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623340Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.370{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-00AE-60B9-FF5C-00000000C501}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623339Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.370{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-00AE-60B9-FF5C-00000000C501}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000623338Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.371{97C2ED32-00AE-60B9-FF5C-00000000C501}3156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000623337Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.042{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0FC5AED0DDB8070CE9A0CEA41E1D8C3,SHA256=6DE88D10EAC2B3F60DD05B53B5030148DD083FC1AA2F7E389491FE433B3BA028,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623367Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:51.948{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D703FAA07F8AB2CDED9604279841E31,SHA256=8928197F731FA6A64462D204C63D69BF91DD871DBBF90F4EAF60D234C519E96E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683315Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:51.639{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0C19A0314208618B63772078D510E0F,SHA256=50714A67240DC7007B833DFF3CF17E12E3A7F61426C794CF13B01BA8C3E0AFA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683314Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:51.358{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB29E39D26B0C0B82B8AFD121FB90D6,SHA256=02A57F2DED5471F68C923F909F71AFA6245F3F1D8BACAA2E4DE473882908B4CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000623366Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:51.573{97C2ED32-00AF-60B9-015D-00000000C501}32282760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623365Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:51.433{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-00AF-60B9-015D-00000000C501}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623364Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:51.433{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623363Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:51.433{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623362Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:51.433{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623361Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:51.433{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623360Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:51.433{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-00AF-60B9-015D-00000000C501}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623359Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:51.433{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-00AF-60B9-015D-00000000C501}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000623358Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:51.434{97C2ED32-00AF-60B9-015D-00000000C501}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000623357Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:51.417{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=938A1A3069C311604B32000BAC2F7959,SHA256=A8DCCFEB75CC73D79C49BFCBEE2262414D28426A9B06B39F65357C9AA5475D34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000623356Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:51.026{97C2ED32-00AE-60B9-005D-00000000C501}53283848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000623370Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:52.948{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A775F259B84C957339364C44A31B14,SHA256=DE314D6A90226B0848EBD4506A8BB200D7481227DD9F22DE90C81352B0E3E455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683318Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:52.811{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B53FE9967E889297FBCE27885535E372,SHA256=213B11B43B891DC8CC34B3B3D87C9F5D41F02A0F047C05051DB1DC476A913411,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683317Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:48.478{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65029-false10.0.1.12-8000- 23542300x8000000000000000683316Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:52.373{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04C5B3B50257CBED7ED993F86CFB4848,SHA256=5FE347652F1FF487CC4778DDEBB0BFC29DAF7356DB5DBEBF8F3B138CED9D8D0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623369Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:50.057{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51578-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623368Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:52.652{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFB993D2E73A21FBA2A3F3C30027C8E0,SHA256=9B5079A942609B3E05B749F977EE42BC52675EC2889A6E1FF99F73EB90090491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623371Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:53.980{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD999DEAFCC21611B6303992E759D90F,SHA256=3FE5E7AA20018C26685344F28B49207318A422A15F12B98A6EA45F4F0E349EE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683319Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:53.405{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0273B1C3E72C439399481C3871CE65B,SHA256=C33484285C92FBEBF7FCF3497BBA273DF083946211D0C8DC51E570755C2A7A50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623372Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:54.980{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60049A14902BEBC531389059345792F,SHA256=BC1EB1F78AADE8E6C0CEF1939528B3E419A4A52681B3EC5C1E1CB06534C1D3FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683321Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:54.467{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35B67879A1F5A2AEB57776F2F7E7C76E,SHA256=3450E4E623D3F212F551F57F7C17696785AAC40676640A195F600CB6335A1811,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683320Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:54.123{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB1B17D6EA49B154F7D06B1ECC684CBE,SHA256=C6C435BAA747CFF714E39473395AB7B93225CFC82856C727A93EA6C73DD9659D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683323Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:55.483{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B5E97107DDB4D5081043C9233EE2F7,SHA256=8A69D4C49B423A14382798FEC393C5851D0D7E78DC53F75275BE22806308B1BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683322Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:55.279{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B61863FFBCEAB6DDE148EE91B247B57,SHA256=2B2047E79F327ABDAB41F19AA08E3F5763E1E7622F23D00A0BD33BBAC9417B68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683325Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:56.842{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4707C6F63FBAB58770493729EBEB990,SHA256=A29DC6095C123EF4FDE792C853CECC3419D6CEBE4577EB2F5167AA4C143FE77E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683324Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:56.498{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4B27C6D2C8B49BB466A08561260F2C4,SHA256=5E691A4250D308A600CB3D6121C9A93133B8AEDB312565A9ECB85092515E3C3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623373Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:56.011{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2565EE86C1CF2173AE103851228D4AFE,SHA256=25B5539A97512276E98F7E7C2AC38BF4501898E7540EB51561F319309EB59A52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683327Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:57.873{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4FD2C4C7A9A120BD2DD93BE2B4F5F27,SHA256=0F5C7DB32B1CD68B4BBB32B5C2F6FEE42C19E0226708E4AC3DE49E8BEBD90370,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683326Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:57.514{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8D1146D3F70F881624190A0FA7D8F48,SHA256=74586265F6573FA4FC86BF93872A0B6BB20A331CFBE55903D84F82C4264089B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623374Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:57.012{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32CC1D52E4E5D081BDBAC1D8BB4F2656,SHA256=CA0867D48C0F85FEFD5489DC604C2CAEF6145D54EE9AD7AFD70CD300DE7A81E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683329Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:54.478{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65030-false10.0.1.12-8000- 23542300x8000000000000000683328Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:58.529{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A823475041F35478F2846E628BF97D8,SHA256=28A07EE186E7E396AD981D3B2A3CBB4A7E2606AC7013BE07DF220B6E6741B8C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623378Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:56.000{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51579-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623377Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:58.150{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA25ADAA2BF201C332493F1D65D4DE4C,SHA256=A41E6A9FD9E85716D7162E73CB0ED7B60B6E708E63CC68FFE9B5CE4F75CDE1CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623376Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:58.150{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48B505BCD758BBAC745D923AFA130A33,SHA256=F36A21D4EE51F6C9E7E6062FD9866E190F49D70FACF0BB391C934C55C34C0375,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623375Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:58.025{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BBED50714E180AB4DC9C0E535276E61,SHA256=5A6A4A341F3AF3F8A66F88F48609004E37B2046EC8D428291500B64E6B61B44B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683333Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:55.667{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local65031-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000683332Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:55.667{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local65031-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 23542300x8000000000000000683331Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:59.545{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC32218ABB542355765208ACFE901651,SHA256=6857E1D4028165F9DEA0EE6ABE5C93F571254418EA2FD375ECACEB5E9B9FD6C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623379Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:59.059{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6330D00A0A78917F39BA32C50CBCF8A0,SHA256=F428A780A436AB3E33DCB2C02F5F30ECB33D3430C53EB299BD8935483BF70B22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683330Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:59.030{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7818479271C9555D8D31C1E56D90180,SHA256=4F99CCB1B2C685CDAD81ADBE8C4421C0AC8E31BFC73D5618C621B14F938841DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683335Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:00.546{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F9D01F76F527911EA46B455D69BA91D,SHA256=E4C1FE9F5C3FB5DE81312462ECF34546FD57114A538155CEF9F47D0CFA87AC2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623381Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:00.544{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623380Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:00.075{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ED02AD71C005938A12992B24B2770D7,SHA256=BAA20879E2E25CD9376E28A5936216347F5EB7380374B290A1F52B31E565912B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683334Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:00.265{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0F767F30E79979B02E095D3FB276CC6,SHA256=BC1BC38925B21BD0D9B0E45FED6F7DA7CF71AB3DD430793374A5C8BE78378B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683336Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:01.575{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B31AA0AED30AAA13D0E2649E8081535,SHA256=0AAE17969C40CBEAFD064A6FA70FA60E47DC5991660A072FAF4826A9C87529FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623383Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:01.575{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA25ADAA2BF201C332493F1D65D4DE4C,SHA256=A41E6A9FD9E85716D7162E73CB0ED7B60B6E708E63CC68FFE9B5CE4F75CDE1CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623382Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:01.075{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC54A040A482361AC4E97748AFADB63A,SHA256=88374C0E08248925A3A8E28118369FC2D8F113804D3390985F3D9CA5DCC86281,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683338Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:02.581{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=059C388786CB4447E7D71AB6C2D98915,SHA256=6D4434677F6E01A73B9AB5823B0827D7F33063466B09C9EFE6AA1EEC6ADEFF25,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623386Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:17:59.387{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51580-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000623385Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:02.828{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=ECB13A6FD62AFD9DBA0DA25FE6B2B8D6,SHA256=81EFF2597A4E99B6F7B0B90A4014B672825D104B0AEFD00D4849E98EEFCEACDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623384Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:02.078{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3B35D3011AFEC5B5108D3AB1C426D5,SHA256=3B91DA63405C3BD06CAAD315592F1DA9A7F87CD0DB32779AAE74C03F18534EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683337Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:01.987{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4712727E5D098987AA5A1791B924569,SHA256=071FD94742308C97D704560F071A0FE34DDB252B738B04787508F0FBEE9E1FEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683342Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:17:59.514{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65032-false10.0.1.12-8000- 23542300x8000000000000000683341Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:03.612{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683340Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:03.612{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A17ED85DB4267B8949F388ADF9F197E,SHA256=FC419FA7278B7FD48073E998179A7FE99071A5B1985DBA988DFADB4FDD5393D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623388Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:03.219{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B476C6D818E31C4C9D59F76045F92B3,SHA256=ACF5CB441B6C56317687D3B12FEEE5486E00592B1A375F616E54FAF084E399F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623387Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:03.078{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D630E58150F9A315776934A9711FE7B,SHA256=F9DB89F548537C832C96C4B9466553D1B65EE95350C6CC406F429BD453660FA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683339Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:03.050{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A4DA55784C7ABC0C13B83B69E6A2418,SHA256=F68644411DEF14F597DBFC35E7BDC86A058A5BDFACE9194386B5E8758BD2518E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683345Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:01.013{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65033-false10.0.1.12-8089- 23542300x8000000000000000683344Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:04.675{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=644D2EF0B944BA713DCD21CB6F81044F,SHA256=0B1804BA5E5EB9995B47FF77C45073E09FFE0F899792FBEAEFCB373EC709A8BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623390Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:04.094{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5B1E60E56C35E980779FC5011AF020,SHA256=10F01CF88DFABA87835D1DC9226DD0A95199F48CE06B83F1AED519E0D520D26C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683343Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:04.269{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4608B10582C2537E3DB998E8A3994E97,SHA256=0CF604308B6B0BFACAA3BD6B94FE6589CAB0B8920445515BADC42D1977F547EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623389Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:01.002{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51581-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000683347Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:05.691{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF5DBE19C23E521E89A5B4EB65483EFE,SHA256=5F42771CE8BE68FDA4E41C37CAA9906CD8D5F14A0B33E5A23411405127AA6E4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623391Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:05.094{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F44C4A048786759BFEC39022FA7F3853,SHA256=74473DF513AFA4ABCFE9131267DD6FEEA786DC62C622ABF98226B6552E2A3E53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683346Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:05.644{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20F99538DDD04D438E2DF682A0EC0312,SHA256=2024D51C5CDE71F8D380DB6E5E88421E7ABB3E0B4D6557F9E27A8D5A6A82EC2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683351Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:03.139{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local65034-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000683350Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:03.139{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local65034-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000683349Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:06.831{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=894188C9CC3F4DF31F9DB3871AC7D65D,SHA256=A65258453D61C956C91C8FBC39E6FCBE7F24714C90F9C9CEFC3A3FFF1F051F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683348Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:06.722{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B1DA4951A18F3A77CEA464CDC2DBAA5,SHA256=84FB688DF1611F35B367972B6E8AC2293A7F9348489F17121AE8E144B9D064A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623392Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:06.125{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6A2F621EFC59A98CF0E8F18D4F70032,SHA256=12E283E247B019DCE8FA7EC521C88178E67EA17F3E647326265B3A359539EE0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683353Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:07.847{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=893D74BFB3DA39D6D8DCAC5FD26FA704,SHA256=0272E7BAFE2880CE01E60C9D7C4D4D4140D36B3E9D595C25C2CEEEF177CBE95D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683352Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:07.753{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF034B10D6C8B156AD4118BBBFB94EDF,SHA256=31A201FAFD0ACFFB34B819FC1FBC4D267B08E589A70F41A62A58FFC04589F526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623393Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:07.125{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58139DD2C110D92AD45876E0E5CED62A,SHA256=5C120F035692A45EBA3F599972A692B1AF0CA4FC4D6FA28912BB519BAAE5DF28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683354Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:08.800{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C1DE7B2C7F72D888079501DBDD1363F,SHA256=73EF0072D1BB34184B12059C4AAF483EB7EE3DEC47DD9FCE9B972C44295501D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623394Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:08.141{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=542BAC6481D25E35D753525F7E4F0CCE,SHA256=050E4226904ECC1F54E3310EC7A8082D5898F01AA9FCA489E2BF9F196ADB274D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683357Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:09.815{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F4171ACC17D6AC38F5639150525C77,SHA256=11159CB70ABFD16B692C89BAB4C9281A68D20B4EA1B93772E525E80583E27133,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623398Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:06.890{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51582-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623397Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:09.141{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F0A381162B48D6E2FF1EEB9093DC47,SHA256=AACA9F06C9AEAB5B5E47D27E10EA731AA962440AD19540141FA4380180B7B871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683356Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:09.175{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=092F0DB344C90D97A124B9969ACC806B,SHA256=83E9FABA803591D7E53C142B8CB3722F89689A2D2BD1798411917A8CD12D3130,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683355Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:04.576{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65035-false10.0.1.12-8000- 23542300x8000000000000000623396Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:09.031{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0812486DC3F1D9942982B893BFEFDD39,SHA256=E5ADCF127389F36CCB444F90025223D07E1C5349B5B34A85D65CD2A2A68C410C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623395Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:09.031{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7971EB21208D8E1E9AF5EB74905C9B68,SHA256=F0E9F249EAD77D47BDBEB18B6AB0EF4ACAC9E05FBE41ED3DCFD992AD738DAEC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683362Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:10.831{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFB577A7440B142B75D2B6A7FFAC615E,SHA256=FD85F13F2D0FCD93BF8AF098F44182A29127BD913DB2B6724E4D4658750779A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623399Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:10.156{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEF6FAFA5880DAD3C71396A6B81BBD77,SHA256=D9FB7233AB2AFAD9CAEA003AB65140C29C0B6D2FAFADBCD54E6AE6459502ED82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000683361Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:10.800{D419E45B-7530-60B6-1600-00000000C401}12684140C:\Windows\System32\svchost.exe{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683360Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:10.800{D419E45B-7530-60B6-1600-00000000C401}12684140C:\Windows\System32\svchost.exe{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683359Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:10.800{D419E45B-752D-60B6-0B00-00000000C401}6322800C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000683358Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:10.300{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=753D994C50A5DBE12A263708A361122C,SHA256=065D41AB8DC608D78E56F28AE60844BB5F3AB55E0609C03B4F32A3E85F52FE69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683364Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:11.847{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FED506853F6A08C6345167622A1F72EB,SHA256=DF193B38D822B322109D1BCD989744768D724C45AADE97E4BD8F505DC46196D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623400Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:11.172{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F739319FE6EFE0E41E91BB4C9A0717EF,SHA256=4F35157D81B9A1BCC4E049FB9B758ECEC6A5CEFB86CE57F0B7844C5B0A227C70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683363Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:11.534{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49D58272B20226F848A5B9E8924AE337,SHA256=9AED6F53FCAE68ACD8630DBAF863EABD2432FA2541BAE434BF05544DE642FBA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683366Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:12.878{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F79F85407CB9E78497DE60471AA4829,SHA256=C432E74D75F55790E6037461B8CCA6E8DD6ED96F41EA1EED4D85E44C322A0506,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623401Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:12.187{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D36A321E9E8757C4A4B7C5FCBAC2417C,SHA256=A3C6BE20BDD0218994F48CDB7A6359E18A8E6445F56CEDCA4B4062510E74B37F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683365Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:08.218{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local65036-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 23542300x8000000000000000623402Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:13.187{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FC0A99B6B61416BF6D9F7E1421949D6,SHA256=2EB1A464BAA04B0A37CCC059F7F8555A2950DF8A415BBF6DD7219EF1A7B99655,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000683413Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.878{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-00C5-60B9-9452-00000000C401}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683412Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.862{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683411Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.862{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683410Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.862{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-00C5-60B9-9452-00000000C401}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000683409Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.862{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683408Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.862{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683407Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.862{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-00C5-60B9-9452-00000000C401}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000683406Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.863{D419E45B-00C5-60B9-9452-00000000C401}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000683405Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683404Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683403Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683402Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683401Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683400Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683399Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683398Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683397Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683396Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683395Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683394Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683393Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683392Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683391Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683390Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683389Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683388Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683387Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683386Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683385Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683384Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683383Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683382Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683381Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683380Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683379Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683378Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683377Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.831{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000683376Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.237{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4B4D3AEA63BFB00BECF129932923731,SHA256=B48D39B9D1A55E65A52237FF7AF0B9A997699076933EFA471B91494D9C353699,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000683375Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.190{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-00C5-60B9-9352-00000000C401}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683374Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.190{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683373Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.190{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683372Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.190{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683371Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.190{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683370Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.190{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-00C5-60B9-9352-00000000C401}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000683369Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.190{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-00C5-60B9-9352-00000000C401}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000683368Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:13.176{D419E45B-00C5-60B9-9352-00000000C401}6728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000683367Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:08.218{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local65036-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 23542300x8000000000000000623405Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:14.203{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B63FE8C23F7D9860C7764E2A5BCF91D,SHA256=72829221007FC51C1D5995818CE7D332DD62EE2BC0C3AF07CA6EB6B6C73E582A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623404Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:14.203{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4472CC514DD28A644F5D3C23C74B84CF,SHA256=A4FA56587A1CB20C97C6B79E827C6F758EC49624FDF362CAB5C3D116E241C36B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623403Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:14.203{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0812486DC3F1D9942982B893BFEFDD39,SHA256=E5ADCF127389F36CCB444F90025223D07E1C5349B5B34A85D65CD2A2A68C410C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000683432Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.878{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-00C6-60B9-9652-00000000C401}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683431Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.878{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683430Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.878{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683429Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.862{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-00C6-60B9-9652-00000000C401}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000683428Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.878{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683427Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.878{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683426Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.862{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-00C6-60B9-9652-00000000C401}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000683425Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.863{D419E45B-00C6-60B9-9652-00000000C401}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000683424Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.409{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8346F1608705B2495115664B6CF012A,SHA256=E6338E4162AA9D5A84D3491BFC4BA515BBFB3B5A101BB5DCC7BED0AE3C6734C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683423Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.409{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D534EDA9222BFD75AA15F13CA66ADD1,SHA256=2594695E342561FC1C714CB9AB4F693D80A97EC16C8861AE6F6F488636C3CA4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000683422Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.378{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-00C6-60B9-9552-00000000C401}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683421Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.362{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683420Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.362{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683419Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.362{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683418Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.362{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683417Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.362{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-00C6-60B9-9552-00000000C401}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000683416Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.362{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-00C6-60B9-9552-00000000C401}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000683415Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.363{D419E45B-00C6-60B9-9552-00000000C401}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000683414Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:14.097{D419E45B-00C5-60B9-9452-00000000C401}19566164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683445Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:15.722{D419E45B-00C7-60B9-9752-00000000C401}69565452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000683444Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:15.565{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F38726ECF7E9265C464E3A9D54F498DE,SHA256=CC30BCA3365488586D3C10AA63737709A6CB48F7E3C0506F0B1A7343B427DE80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000683443Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:15.565{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-00C7-60B9-9752-00000000C401}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683442Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:15.550{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683441Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:15.550{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683440Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:15.550{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683439Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:15.550{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683438Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:15.550{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-00C7-60B9-9752-00000000C401}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000683437Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:15.550{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-00C7-60B9-9752-00000000C401}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000683436Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:15.551{D419E45B-00C7-60B9-9752-00000000C401}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000683435Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:10.451{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65037-false10.0.1.12-8000- 23542300x8000000000000000683434Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:15.237{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E94D0BB66B096832B2A28B620B3FE223,SHA256=655B550F21B5A7DFB1F7B63C543FE8B380F14B986D83DD9914204C3AAFEC8CAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623406Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:15.234{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B5B1C54D85B56E5E385E1B73C2FB8A,SHA256=D3E53C372B37CAB184D75EABF912CA1ADF73CE58DE15EC0E6ED86747ABDAB92B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000683433Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:15.081{D419E45B-00C6-60B9-9652-00000000C401}4392296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683474Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:16.737{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-00C8-60B9-9952-00000000C401}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683473Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:16.737{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683472Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:16.737{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683471Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:16.737{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-00C8-60B9-9952-00000000C401}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000683470Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:16.737{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683469Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:16.737{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683468Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:16.722{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-00C8-60B9-9952-00000000C401}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000683467Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:16.725{D419E45B-00C8-60B9-9952-00000000C401}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000683466Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:16.722{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F8512620728D7E41588FD83D63EB5A8,SHA256=137F1256C3A6361BE158D416C44FD2C1F8C35A6AB2C03622DE5F1AC125B73B94,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000683465Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:18:16.675{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000683464Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:18:16.675{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x09f15c8c) 13241300x8000000000000000683463Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:18:16.675{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7588b-0xad30b886) 13241300x8000000000000000683462Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:18:16.675{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d75894-0x0ef52086) 13241300x8000000000000000683461Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:18:16.675{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7589c-0x70b98886) 13241300x8000000000000000683460Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:18:16.675{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000683459Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:18:16.675{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x09f15c8c) 13241300x8000000000000000683458Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:18:16.675{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7588b-0xad30b886) 13241300x8000000000000000683457Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:18:16.675{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d75894-0x0ef52086) 13241300x8000000000000000683456Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:18:16.675{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7589c-0x70b98886) 10341000x8000000000000000683455Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:16.394{D419E45B-00C8-60B9-9852-00000000C401}63562500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000683454Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:16.253{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91B992AC7B659FD0D6F28A21CF54B1F9,SHA256=3E6A74233961FC4FC8B7601411AA7013E3C16BE780B11216D4087F97D4E40B4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623408Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:16.234{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6F2A9F5EB6C5C54023C045C03A2FE5,SHA256=06A4FC5ECFFD2761760CC044345500FE59F3E8C3D803328DBD5D2D850273F159,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000683453Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:16.222{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-00C8-60B9-9852-00000000C401}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683452Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:16.222{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683451Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:16.222{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683450Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:16.222{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683449Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:16.222{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683448Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:16.222{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-00C8-60B9-9852-00000000C401}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000683447Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:16.222{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-00C8-60B9-9852-00000000C401}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000683446Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:16.223{D419E45B-00C8-60B9-9852-00000000C401}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000623407Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:12.046{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51583-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623409Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:17.234{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0FBE79A8E183954F577609FF5F5F872,SHA256=85CDF33D19A8DC6B6EAD710379F898AD9462E5E475BF838607C1D1796EA94078,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683476Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:17.972{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D47A5D1A9005D3FA9C29FD0953A8152D,SHA256=936CCCAD7C7034DFA023E32EE7ED7D8445008976ED58DD0D0D0BBBDA831DA0EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683475Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:17.269{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EC09C257D77B0558804B5C163CDCB4A,SHA256=940E45DD2F07BD90DC7ED92C63978C52C09927F99950E5A4E9211052ABB263CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623410Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:18.281{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A44719387F06680DB4D62D88C0D3863F,SHA256=4D067B98F099F8D42A8D5925AC3D024249AFD115F3F6BCD04A872F14FD6C8D79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683477Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:18.284{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A3A2D32C753AA759E829353AC7837F3,SHA256=00D77FE50A6DD49CFF9A06A7B0988A7F733A0C5D4C6A86143A1090927EBD3F95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683479Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:19.472{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=656954222196326D4C7307E4DD1CA966,SHA256=0082AD59B49A8986B0B5E1A83F86F0CC6110AC24A7BC0D11001DAD63E1609D18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683478Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:19.472{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E82085092D8F8001C1C6E47079D51CE,SHA256=FC7D4A132D281FB544F9C0EC5A32F791D6833640F0E8616B6025D59EBE6E418D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623411Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:19.281{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=090D2D1A30CAD84EE9E2E5B85EB8A5AE,SHA256=95F12DC3685E4C19665BCF36DDCC385183D7C09ED9C74936CE248213A7848CA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683482Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:20.503{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4E40F4C14C778C1D0AC0BA049EBA903,SHA256=14D886B5601A77EFBB4E8F1CF961F23D275BBD9F2F9AF9EF2F337A6A24A88FC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683481Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:20.487{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=968F131CCAC4C6E68A39DCD8D3FFCF52,SHA256=9FA7FC16EAF3BDC05C794B2125394052AD97859C5FEFFCC9225D58289F522BA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623414Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:20.297{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B69D451BFB5AC0817141046FD4206759,SHA256=7626A099C4EF219B72A7825300BF6B8D3B6C048ACE403E39CA8E49072C48E3B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683480Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:15.545{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65038-false10.0.1.12-8000- 23542300x8000000000000000623413Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:20.062{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B1CC26432A4EB358A2EEE43BEA6C162,SHA256=D222FE833474FFADDD6EC56BDDA3BF785F09C8C2C826E0DF195BCD9D47813B33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623412Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:20.062{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B63FE8C23F7D9860C7764E2A5BCF91D,SHA256=72829221007FC51C1D5995818CE7D332DD62EE2BC0C3AF07CA6EB6B6C73E582A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683484Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:21.628{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B94647E8ADEC4E7135AC4A4A3813C9A5,SHA256=F4FF043520EA8E2083C6BD2BBA48B3B526744663A8C1A5CFB507D655CA9BB7E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683483Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:21.503{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60A557214B81E76522AB86851E767606,SHA256=EBBC04B183B37FC53F2C0FF827AA319CA64A54297937E6CC4AFCEE4ED65154BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623416Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:21.297{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B4D148AFB96541CF4EED9FF1C3812F,SHA256=699AF9A1FA08FDD8E055425B7D8C9A8BD30835C9B255A24DAB1609C80414216C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623415Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:17.923{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51584-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000683486Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:22.751{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E800DD15EA77EEBEA8D60AA4B2DD16A0,SHA256=2C1883D2795A0B3A1F642EC614AAEDCA0AEF91FA8FC9988C9E68A94FC0CD42A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683485Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:22.610{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7E7A5CBE3D94B2302BDC38AF9C2413B,SHA256=EAE5357156A5E4D60DA9FACF12B92317C1A977AD137F51E973443F2A4BCFC036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623417Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:22.326{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6728E4B2F455F47333DF834E7D750B7E,SHA256=5F2928318FBF8FB1E794660AEF375D9A38FC2A419AF910C7EEA76782BD30FDDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683488Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:23.907{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BBEF8ED2ADACAFC606B2700A9F09496,SHA256=68A4E06DA5BF4177E2A6A8A53B255C9D9C32198CBA285877C1428B1FAEA4DCA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683487Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:23.657{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A5AF37106B957350B5CB285AD74F510,SHA256=5A2CD5F7FDD51C7504E675D04613B776BE5DEEB8971EE9799F9B4D60D3F145E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623418Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:23.342{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60DA812752990F0FB2F77A580FE4B7A7,SHA256=ADF47F1331187372A5A8D3A5DB4958AF35A77CEB81FAF561573C5BB8C86A53BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683489Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:24.657{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3458B8DD2202D4A9CAD8F69A2CC003D0,SHA256=10AB3E23B0F24D6D7382F7B09E4E24AA6EDCDF1DDD5B183F12240FDC7078BB02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623419Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:24.373{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F35D4ED10AEF4513C9A534F4AE894A,SHA256=D9E0677DE4B4D3027AD6810BCAFE3B62D287392F2202E19F907BF54C7161357E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683491Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:25.673{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41BAEF3019DCEC697A0BBC914B832D8B,SHA256=6D1E01F65B9E9921E13C0A63B4DE4064D2C581A2F1C628B36B0415D1CA00A0D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623422Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:25.373{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D85ECBBBEA3FE9057FA9029C573DA7C4,SHA256=E87B5BB72A40F2B279E8A34D4D24A948EA8C346ADB9E8D243F640AB1143C0544,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683490Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:25.032{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FEB7EC58EE3F415848DFDAB512C5DD3,SHA256=F2A69A7B17DE75DF4198808C56991398DB0C8A39989E66AF19BD1F386C1E3671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623421Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:25.232{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40E01B331F0D16A0F272F594B07ED409,SHA256=02F85D51F30E403AE1FA5E6E628A6CDBD0F8AA85A28BE240B4CB8118C93B846B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623420Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:25.232{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B1CC26432A4EB358A2EEE43BEA6C162,SHA256=D222FE833474FFADDD6EC56BDDA3BF785F09C8C2C826E0DF195BCD9D47813B33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683494Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:26.720{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB9B5B12F83749D7393F853A671F2473,SHA256=2891946FACDE0D66E3641FA0798EB7D0B1952ECFFD67A1CFC113111D5DD28BC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623424Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:26.420{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D96A18D0521C1DC31FD821A4C29385F,SHA256=C637845401D91BB2B9B87FD25718C24299BA4A51D4A7F3DAD50B875D1B4F7D16,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683493Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:21.465{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65039-false10.0.1.12-8000- 23542300x8000000000000000683492Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:26.173{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09E65BF73777DE2F92F5FEE9834E5E16,SHA256=2EB3AB1A41CA849858CB01E9F16137ECB759F9080A5B589F722CF1DF01DED005,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623423Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:23.013{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51585-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000683496Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:27.751{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C96E429F1F91B22CB63FF1AB00EF7D0,SHA256=7BB731B1117F90763AD34457599AEF4D10FBDF7D1D8AA947517E1821C40242F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623425Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:27.420{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DC44050C95469BD6ADAD9AB4E8ACCD6,SHA256=A37935F80603C1FDF57FF8D9A426E99E0776C2AE187CEE51B2AE80C99CD8C0FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683495Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:27.642{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F99EC9219D83D1BE3A8550EF40720AF8,SHA256=BAAD7FC457D3A57CA528C61AFD3A4A896ED787E2CCEF2BB0CDE5CB946B337AA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683498Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:28.940{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79D136CE02B9A3D643BA58213E0FA81E,SHA256=F7E33A3294B66C8E8F41C846972243291D5C519BC3A68C4C9366D16099975EF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683497Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:28.752{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A4767E7AA0CC6AF74FDF62106B9CE35,SHA256=C5E044656030701534EDB3124BE629A7E6F1C88926897039D698FE5677A6A731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623426Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:28.451{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18D0FC1B7C8ECFAE766164FF54852137,SHA256=7D2E7CA92CFC7A48A04A943A9AB02163DEFAA921C76489821DD8791527B628AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683499Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:29.846{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEA67D03A276DC02F1074747110F6C27,SHA256=EFC61F4C9DBAD09A6CE557801FBBDAB2258F3AA11E57CD45602C59BF651FE358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623428Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:29.467{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3CD416F57E3B3EEE38EA881B7EFC032,SHA256=C255A2271A9A897AEDAADCB88361E23341C62A8D9925BB340B15AF0E5ED2DBB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623427Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:29.373{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF9e9b801.TMPMD5=50C3F57E9B17DAD0DB73AD4F64FDB6ED,SHA256=86D53DA9ECE564538A00B5F8E963CD8B3B67CB52F8A489C6BC9DE193528D6A7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683502Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:30.956{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33AFA423500CED690094853668C0AFD2,SHA256=ECE55118AABBC3F92B7D17F1EEEA44B422B4D0605EB3A0AB00614AB171C13764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623433Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:30.935{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5722371BAFF49C9FE6CE097DFF5BA2FA,SHA256=E4589B9CB139569A55B755038EEA14DE55B7F85B260753E6527DD91429CC6B29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623432Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:30.935{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=86DD466D94A2CFA7EEE39E05DEED47B5,SHA256=91C6957CDBBBAE11E1C5782F14D5BB2222B5795A20F0A3261951E431661F90E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623431Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:30.482{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A07187033D78C86B2514954431041C8E,SHA256=15BE0692E820DB3402918F63B42C75C5DF3435B715CD84F3EFE904ECFFDE93BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683501Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:26.638{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65040-false10.0.1.12-8000- 23542300x8000000000000000683500Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:30.065{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=554C69BB8FE4C74AB8A0ADA0BC5E3969,SHA256=D76B747B656CBA5DCCFF97C6C642361BA608D0288320264B53FC9AB53D1D68DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623430Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:30.295{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4FC8DB02B6A1BB357B2751270BA823B,SHA256=120AEA7C7CF18E631DE865BDCB52393B282D747F150E25989B54FD4D28E60A08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623429Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:30.295{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40E01B331F0D16A0F272F594B07ED409,SHA256=02F85D51F30E403AE1FA5E6E628A6CDBD0F8AA85A28BE240B4CB8118C93B846B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683504Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:31.971{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E70EAB626FB7FB69EC9EABB6BAA7C0C9,SHA256=3FA86AF9F9AE9B66F1410A84D1BF6D7E777FB61F507F62550B2817B1B33160FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623435Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:31.498{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67AA4F3AE16885ED15E3B60C7EE6AD21,SHA256=57D320373F1077DD4BFFF4C854BD650F5248A08306C99CD46ACFB0713F30C526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683503Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:31.252{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93876EFCF6B8616DB3611FD7D95A9973,SHA256=6C37A1DD393A92DACF40236DA7F39E5C5EFB8A8CF78797C1A8A53E2EE9078E2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623434Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:28.108{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51586-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000683507Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:32.987{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69CC5A4F298772BA10021FE0B3D61450,SHA256=C52A17D12B1ECC92E841ACD26F471B96359327E61463FE6029A50D840730545B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623436Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:32.514{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF950EC59CDD7ADFCD0B9202B8612D25,SHA256=89C509716AB9A29BE8C219B536FE72448013DA52E083746E5C74C0290850339E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683506Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:32.721{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E399BBA3FC0216A054A27DFCF6652BBE,SHA256=8F95578CBC67D75A8F7A1991F3F8E31BEDDE8306B19244E75BB794A2F3940CE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683505Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:32.362{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97B813361CD086542691AE1594004839,SHA256=327E60E6E531D284544930A377536E1BBA7EC2BC34FD309262942151D1383B1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623437Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:33.529{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF9FC226601BE8B73ABB9DD5E3D14B68,SHA256=1B3BD211CC59F7410319D357FAE173C6E0EB00B051C6EE145DA09CEB16A877F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683508Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:33.471{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B024C341F9F341C85BF34A0D9C0A1FF,SHA256=A31CB5CB0CB516AB47CBCA67C2BD081C76829D8AF0D2E31B19E8BC2944DD3F77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623438Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:34.529{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E041CBC68B5F412ECFA9B4DF2CF3B7B,SHA256=9490979DFBDD53FAC98F88E45C9A2672A9BCE1643330A194C4480F1947C7BA85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683510Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:34.721{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17189617B9592D41CFA42E0E5F62BA2A,SHA256=F0AA06463FEE705DCA218E52F2613A7BEC57A88F94B449734149A58A013EF588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683509Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:34.018{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7377E9E4F3DBD9FC5FF6343A83E5F7E,SHA256=686FBDBE509D3DE24389753889E382B3C5B79667F15E6779C576F2C60E14EF85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623439Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:35.545{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A04B40C259073564A834B210E23BFF,SHA256=A472DE48D25B117BB7254F8CD799F4BECA4D8760B564435BAEA6B02E73A4005C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683511Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:35.034{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CEC756CA61D64370F7FA6535C7300CF,SHA256=E1AC8D65B212A867DA956F889613EA37DFD1874A626FD9AE6AE4553D51306960,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623443Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:33.919{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51587-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623442Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:36.561{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2937F5B2BA6AC3A05367D997E13FE09,SHA256=92E2956DDDFF0D69AC19976F7AC5046C9A5E17C20ADCDEF5EFC40DBB8F2EACD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683514Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:32.591{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65041-false10.0.1.12-8000- 23542300x8000000000000000683513Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:36.409{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EF8979D863C6CF7793ADDF393D20B5B,SHA256=3E949B9AAE0A59DA0C2D268865C37E7DECC5C10C6DDCF23BF2697CA0264FAFB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683512Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:36.049{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AB39F7759E34B12CD73BCEE5CCE01F3,SHA256=A5EBEF4F895F9E6429D7E486517984FDE8589F6904F7A49D596D9E8F652E2950,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623441Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:36.061{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEFDD776494103784083637CC2B64B20,SHA256=4CD8EE42A21DFF0D1B33ACE1EB5A0CB7CA3B4590DA42BC206C09F7C5FA9B26D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623440Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:36.061{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4FC8DB02B6A1BB357B2751270BA823B,SHA256=120AEA7C7CF18E631DE865BDCB52393B282D747F150E25989B54FD4D28E60A08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623444Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:37.561{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4CD27D0D22CDA711C5AF4E0B5293C50,SHA256=C4F01CCCC658336866C6EE3CC4571C0760E4E0C90A9CD852A46D773E64B410B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683516Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:37.456{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2E341AD9E09807C0457AD8087CDC179,SHA256=6AD6F0F38DD7ED457448323D4DB1C4A4CA41225864B759CEB4F24CFFAD02264A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683515Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:37.065{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E98C8C3BE18B640A3787D994C75B0746,SHA256=5293DB6D348A6FE5C2C8E1132032F98660D75AD341BE960D71E7E1CBC18EEEA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623445Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:38.560{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4051CCD7A6223E8EA68C4E0E9CA9D19F,SHA256=4588C3E4B472A31515B9DCAF28DE1BA608D7098756F49307ACC4BD58F3893C22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683518Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:38.737{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3712BB73D10C2E8EFAF339A1CB02A636,SHA256=F67CCDEA8307C855BBD9CBE814B8D5BC7DD602DD73EA76593E2928E02523F5F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683517Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:38.081{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26638AD709EBC525C7AC1C76801D8A5A,SHA256=368E41706B839ECAD797E44004BD224D7689F8BEA7780CF4FE6486F0BF85340C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623446Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:39.560{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BCE655CBFD4CFA7959013422B3DFDAB,SHA256=DE62C48162AFC4B1ED00CBCBA12D9DB05CDD26F821DE1A50E94A9A8D949FDCB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683519Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:39.096{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1510576E24F34FFBDFCC202BAFF73F1,SHA256=2C8B8D613BE07E699C804D21B66C6279F92050D3A784D1C8ECE36CC13D65ED5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623447Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:40.561{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687AFCDCB1E39AB0BA32AA10EF84C0A7,SHA256=5B2168DD6D0762C0D1F372C0B31C8D3070089A8970C7077A42D0B0178E87759A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683521Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:40.112{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B36967B06F0BF3F8EF432E92306370CE,SHA256=F50DE43A00E1D932B3B476697117456F07575F6681A270008CD2D45C37260304,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683520Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:40.002{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AC299CE8A2FCE05FFCAA9679554316E,SHA256=D8AC2C2BE77BCCA83389B6FE9AFFB9D202E9E91B5854042FC2A6650A8D61383F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623448Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:41.561{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47B0E5597733D942BD8B0E5766EFF293,SHA256=024801F9DC8842C7996337DC3F839E7391E615657F1879D9DD34184E8A76663D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683523Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:41.331{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CDF6C5AE35D32F171942C92B0B38E0C,SHA256=81A996570A3B35AAAC45EC30B6DD1D8A312902FECB1B1C77550EEEAA440C3847,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683522Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:41.127{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA6A8E059EEC1F8716F56CF74ABB3C42,SHA256=7C9BE4DA16C01C3C3B182700BFD30E4132F05AC7CBD78C2D2E98C522D539AD98,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623452Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:39.950{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51588-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623451Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:42.573{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A478EDAD1DB2CBE5308202A71256AA8E,SHA256=A5168FBA455CCAE442301F48FAC48011F097C307ADE2F16383B2853BB03FBB27,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683526Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:38.623{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65042-false10.0.1.12-8000- 23542300x8000000000000000683525Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:42.466{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38693BF5A4A9F59E78A39BC499BB4A9D,SHA256=11EE9DCB5C1EEA9E536CA3BC5CB9DFAF70851EE386DD196604DAD978C7778242,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683524Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:42.138{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF185799885984BFBE446038731A883B,SHA256=A332E67E438E8B123847A2479449BFBDC0DE4009632A357FD7A6A82584CEF7EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623450Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:42.338{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EFCEB5A1092484AFB581B2C51D41470,SHA256=A974909CDBAFFC776C5721DA75413EFE82FF9982E1F110F1E1653D6B9AC4F6F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623449Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:42.338{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEFDD776494103784083637CC2B64B20,SHA256=4CD8EE42A21DFF0D1B33ACE1EB5A0CB7CA3B4590DA42BC206C09F7C5FA9B26D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623453Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:43.588{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=125AA34EED5E8C4CA2B53C5320D2CD6E,SHA256=EDF3B29837716B925691A3AB3E5461B5D3F5CD03438523250B3BE070C8D7C617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683528Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:43.623{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=910B85D723F873A1F9E1678EED836014,SHA256=241E586FC652AECB15E70C309A542F3A3964C6354BCFB8B3C41F5A6B4A25EE5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683527Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:43.154{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17A50A74237D02E7609C04442EAD745C,SHA256=9A06F81E0AA9B7C072AEB5E24AB2D9D4598247F49F0D0BF4E89EAEC4D6BF23F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623454Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:44.588{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F332885F80EE311A06B8DB6C2E7A8D9,SHA256=8AC666CD9967E1AC631A6C64010523E98AF2C8C2F857A5C0E3999428EEA4684D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683530Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:44.888{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E92CFC1436F7F660831FD903329C0CC,SHA256=373FCA291915FB58D44783125852E64656A14D552E440BD30F3109D82649F1AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683529Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:44.185{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87E2DEB549CA5376A6ADB93A200E9622,SHA256=D55C6CB2395363C0DC5B81501680B169D6773643DCD2503C74C8DA9B1E55C83D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623455Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:45.589{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC12CA330C472CC5C894905F55AA25A,SHA256=F832D5ABC743EADAC8E3AA39930082343767DB9F84C35FB19CFFAEC827D01AAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683531Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:45.201{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7253EA65CFB5BCEA3786309D5D7D4914,SHA256=5E539A62BF2963E330F405B5ABB44750A63B8C3F8AFE208E59E9F2A782815CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623456Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:46.589{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB8CE95E3553CADC6AB363AD1D8E198A,SHA256=719486BA8EDEC65BEE63F38786FD02380D839F035A118A588D38183658ED586E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000683536Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:46.841{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1500-00000000C401}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683535Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:46.841{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1500-00000000C401}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683534Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:46.841{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1500-00000000C401}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000683533Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:46.435{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D7A3F4B103869F66B71A0071F280BAD,SHA256=D225D71A7E7A4A7EE178CE4ECD59D058376E69678B0D1BCD70B1F022AD22E320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683532Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:46.357{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75CF59A4CB05B8F9568B1AA29D1E8A86,SHA256=68642889D8B8D425B42C4CC6BA4CBC1759957672812BE0A7CF36A098F8D5AD27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000623466Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:47.917{97C2ED32-00E7-60B9-025D-00000000C501}57805256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623465Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:47.792{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-00E7-60B9-025D-00000000C501}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623464Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:47.792{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623463Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:47.792{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623462Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:47.792{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623461Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:47.792{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623460Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:47.792{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-00E7-60B9-025D-00000000C501}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623459Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:47.792{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-00E7-60B9-025D-00000000C501}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000623458Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:47.792{97C2ED32-00E7-60B9-025D-00000000C501}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000623457Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:47.589{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92249B34E2B25228891CAF8A936C4CB6,SHA256=A9A386759335B3EC857B27629ED68C82CC6B2FFEAA152915C99FC5F7BC105CD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683538Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:47.560{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B90445C6DC09570BAA24B84A85EDB6C,SHA256=3D1F605442B40373E4183EC50001E8F656D1C1E7D49E21F6D881951B0E692737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683537Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:47.466{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99081B3156A0961663BE7EAE11FCF514,SHA256=82D5FD951115FC676D53D29F1F9D233F4A6F0B5BD0EFC47434CA4E6C4B915C4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623482Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:45.917{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51589-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623481Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:48.604{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=104F668FCF9DCA4C8E51C3C584BD44F6,SHA256=A7D369C1A8740C04F941AB36EDC9AA36925E710DCE613124AC264F321609FC9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000623480Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:48.604{97C2ED32-00E8-60B9-035D-00000000C501}43042776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000683540Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:48.638{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BD4D4682D0A3553B38BE09DCE5B48A3,SHA256=0DB534A848112D5F1FC2AB11B1270AAB5760EC9D67F4736605DD43E8A5BC0580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683539Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:48.545{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=984A5EBC857C057D15B280E9824C6329,SHA256=9A12622A747DEF8E5EB98547A3643CEA345A8461D74429BDFFEC665004CBC6C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000623479Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:48.510{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1500-00000000C501}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623478Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:48.510{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1500-00000000C501}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623477Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:48.510{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1500-00000000C501}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623476Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:48.463{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-00E8-60B9-035D-00000000C501}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623475Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:48.463{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623474Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:48.463{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623473Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:48.463{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623472Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:48.463{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623471Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:48.463{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-00E8-60B9-035D-00000000C501}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623470Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:48.463{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-00E8-60B9-035D-00000000C501}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000623469Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:48.464{97C2ED32-00E8-60B9-035D-00000000C501}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000623468Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:48.104{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CAA63E09D1391E26C8D3C1AF9AFD8CB,SHA256=402040E949657A326211988C43C26BDDBC96335D855CF497140D63000259BDE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623467Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:48.104{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EFCEB5A1092484AFB581B2C51D41470,SHA256=A974909CDBAFFC776C5721DA75413EFE82FF9982E1F110F1E1653D6B9AC4F6F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000623500Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:49.807{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-00E9-60B9-055D-00000000C501}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623499Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:49.807{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623498Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:49.807{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623497Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:49.807{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623496Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:49.807{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623495Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:49.807{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-00E9-60B9-055D-00000000C501}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623494Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:49.807{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-00E9-60B9-055D-00000000C501}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000623493Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:49.808{97C2ED32-00E9-60B9-055D-00000000C501}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000623492Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:49.635{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3EA391C5D64E21A088073977F75BD4B,SHA256=3E623EEC136D729210CCB98ACAA57CBED53CAFB13B7CE685B179843BAABF57E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683543Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:49.763{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A54710F3CB028D54985058BD633EA24,SHA256=AE003CF6B46EF5C893015EC69FBFCDAB6DF4D163777AAADE461420384E3BD32F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683542Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:49.560{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F40C3DD124FA69EEB450868EEE64D3,SHA256=8A1CEA4E1E72AAA440C6781DF812114E9B900D5B655806313385A261E789638D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623491Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:49.620{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CAA63E09D1391E26C8D3C1AF9AFD8CB,SHA256=402040E949657A326211988C43C26BDDBC96335D855CF497140D63000259BDE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000623490Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:49.135{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-00E9-60B9-045D-00000000C501}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623489Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:49.135{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623488Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:49.135{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623487Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:49.135{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623486Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:49.135{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623485Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:49.135{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-00E9-60B9-045D-00000000C501}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623484Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:49.135{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-00E9-60B9-045D-00000000C501}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000623483Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:49.136{97C2ED32-00E9-60B9-045D-00000000C501}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000683541Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:44.673{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65043-false10.0.1.12-8000- 23542300x8000000000000000623511Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:50.823{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FBB60A64E77FF972455EA8A86EC71FA,SHA256=E743E553350066CF0C62D90963200F1CBF128AC42BE0213DBBA0B432A76F7465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623510Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:50.651{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0365F80057F3AC18598061A46F749C0,SHA256=01DC55D5BEB46B892F31E8B56EE7250DD1D44D05EA81860B74E5DB2F92F49797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683545Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:50.935{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A2A2C4832AC4264575495BEEFE2586D,SHA256=FDAC027E3D1C047F3E43893FB09E11F1D38B7057CCA990D4F96CA3608ED392CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683544Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:50.560{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=168A27A4BD1888EC17D18A489C437321,SHA256=BC10A281419A4F62F6D53DD86537983AD4D791E3A94FA5EC0FE009887AD09E03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000623509Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:50.620{97C2ED32-00EA-60B9-065D-00000000C501}46123152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623508Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:50.479{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-ECE8-60B8-435A-00000000C501}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623507Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:50.479{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623506Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:50.479{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623505Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:50.479{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623504Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:50.479{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623503Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:50.479{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-ECE8-60B8-435A-00000000C501}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623502Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:50.479{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-ECE8-60B8-435A-00000000C501}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000623501Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:50.480{97C2ED32-00EA-60B9-065D-00000000C501}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000623529Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:51.807{97C2ED32-00EB-60B9-085D-00000000C501}52444952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623528Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:51.682{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-00EB-60B9-085D-00000000C501}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623527Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:51.682{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623526Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:51.682{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623525Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:51.682{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623524Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:51.682{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623523Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:51.682{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-00EB-60B9-085D-00000000C501}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623522Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:51.682{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-00EB-60B9-085D-00000000C501}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000623521Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:51.683{97C2ED32-00EB-60B9-085D-00000000C501}5244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000623520Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:51.667{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=661083FB411797793A6BE889AF119D4F,SHA256=7001C28D96F78C40B75D9F9E765E975EE24298D8CEF394A9D2986E847FC42DEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683546Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:51.591{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B9C54EB631C7DF80F1E5F24B94F733,SHA256=9F577772AFB6EFA467514D5CA67BC59C8939552AE8C67097333E04E1D63F4089,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000623519Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:51.057{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-00EB-60B9-075D-00000000C501}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623518Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:51.057{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623517Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:51.057{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623516Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:51.057{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623515Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:51.057{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623514Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:51.057{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-00EB-60B9-075D-00000000C501}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623513Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:51.057{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-00EB-60B9-075D-00000000C501}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000623512Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:51.059{97C2ED32-00EB-60B9-075D-00000000C501}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000623531Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:52.667{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42A4BEAE1C4932374E792F4120281DCC,SHA256=50410C470B9BFC70C232F04FC619B6E055606CCFAD465689429EA75EA51F7152,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683548Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:52.623{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC8C87480A06D246C9D61F95A7A865DB,SHA256=202A3A40AC39FE2CAF4F5093431BEE1BECABDEA47E0C5A872DA064AD94A80310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623530Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:52.089{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41EF0A990CCCEF2D56EEFF090859AF69,SHA256=AF0E6C80DFFE91BEE75F7D8739D946DDCA44EAD2F14098B3AA57A71C489CEE5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683547Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:52.076{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEF0E7747C10796C4AFDC070793816B2,SHA256=7A530841F02A2993D0D5BAE0791726F02687B3BF307D1A322366F063730D068E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623532Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:53.667{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FDF10AEFBF39C0D5C8C46E96D30C914,SHA256=151BBF5FFD36B9666F00AD27A497A3D883A324C64B106F0E38C347EA15AB5350,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683550Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:53.638{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03E983945EBF6EB75387B396F6789F38,SHA256=4832F8E62B2E15ADE0922125B2EAEFB95B8F669CB633051EF44B2DF98973DEC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683549Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:53.357{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=843BCD8291698D113023D189B61A4708,SHA256=C687C37F11837D8307C8C33E965B29CFF64B29844C74DD0EE176D90FFADD5E48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683552Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:54.810{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE20FF38686C7D27064A2E0EA96A34BC,SHA256=8E18FAAD06C00332EFF276EA6ED5CD5EA06B071DEA20473082B196AD692038D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683551Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:54.654{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6447CA6283B3E024E0614BA9BEF62132,SHA256=4E43E7DD00B26C76B66FBDFAE652ACF8515CFB325B9D4544856CFC7F244DA340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623534Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:54.729{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4850F09ED99FB6EBE15045C8F6ED6F70,SHA256=DA58773CAE2BE1002424DFEA73E79AA42AB28CFA264B9C277AD11F93585660D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623533Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:50.932{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51590-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623535Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:55.745{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0F78E95E3EB7B4AB30A4EFEC5BFFAE3,SHA256=E17059F60A38BF364F29098D543341A03DDA7C6D961CC182AB7A22BE34DED8E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683555Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:55.951{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B17D98FAD5B1E918160B97D470D6402B,SHA256=5906BAAB5D06C3AA4BAB57465309583E26E287112AF6CCE711C259649D00C6E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683554Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:55.654{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0957770DF51D696DBBCA5C15B842AD4E,SHA256=16F17B332E9AFF8757A9E79BF3BF4410BCEEF5766D6F40716FA58A1396402779,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683553Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:50.476{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65044-false10.0.1.12-8000- 23542300x8000000000000000623536Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:56.745{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9608BA9C3872B66D60F4248676F50E76,SHA256=4031C1AC071E55C83B0E3F071798E85EC134FEB4A95AA157B64B7F6ABF28AEDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683556Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:56.685{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D35092FB60DF0821588971495EE6DF,SHA256=12A9BB64137F2BC60B63572FD451923BB162580A87F4B409AF8234D68B86CD20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623537Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:57.746{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51B214F23C9424527095C0139B2C777A,SHA256=D8318F4FA9096FFFDD6F10B254E7CC61744C5C29443E0BF80B6691DA8EA850ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683558Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:57.717{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D366CB70C82CBC0616FE934517285994,SHA256=6A23D6BAA07415002F616B4BA1D4C9D401823A248EB45A02785A82AF98BCE5A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683557Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:57.107{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EB6556C380AA5DB094403F32E9A576E,SHA256=938B581E85D781A9312F80F2084E5EE531C9738EA3C2ECE4DD40ABCA9880FC5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683560Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:58.795{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5F0C079F3B3BC03A5BC6AEA07BAAF38,SHA256=40B4C1D4B1CF4EA2A6A35838AAD520692D0FFFDE993CFBDC537D4A57F0C5D809,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623538Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:58.778{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11DFB2CD6B59B98AFD4E5934183C58D6,SHA256=8194E2DE562EFF8CDDB6C8068935A11C01E9A4D0AD8A2DD0D66EB3E902895D1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683559Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:58.342{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D9D3A78B15526E70991E7ACD37CBBF0,SHA256=6705B50F4F850F2D55C40B3EF2232FF40AA5086469DBA14E522113E77A405EC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683562Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:59.795{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F32410F2ED769C902A93981632CC7D3,SHA256=A7256B9B8B478FCDDA3EB9C84BA0021FF3CAB6C212A9EB04D1BA60870B8FE78C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623541Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:59.812{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A289A1F6466F33C0F009E21DD2001D3,SHA256=EA79E50C63DB34E734AF4B22792B9CDE06FF5EE099C0E0011E54BBF399B582E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683561Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:59.592{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D2F9D9CF53585999BCAEBB44A7CB952,SHA256=0F84B223CDB408BE2CA3A74F95FF33B9971BB912859AEFD6313E4F05989C61F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623540Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:59.171{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D747CB1E61DB387D0DCA82CD639E3D9B,SHA256=C0169598990F6F68DBCC97EC25B94D0881A6BF83032C3AC4283E61615075EB12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623539Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:59.170{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85883678BD2D679B5DB7D7F7809C8687,SHA256=7FDEA5B2F39055AD410FFFF6AFAB4C16EDD2CEDB45146735F48C69B223E7E0F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683564Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:00.857{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AC2B1CB05D93253FFBFEBF1E67E96D5,SHA256=90A66143DF68DA82847DD6375B2EEDD60FB45EF48B4E0E98D92DC60A4BDEC4CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623544Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:00.827{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C1C05EBED7347107D94FAE7F4839ACC,SHA256=3134227E2474D51C8EBD4D86A4E83CFAE1AC774CC1496892EAA1A943CCDBF767,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683563Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:18:55.617{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65045-false10.0.1.12-8000- 23542300x8000000000000000623543Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:00.546{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623542Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:56.964{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51591-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623546Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:01.827{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B65F9D449529E05220C30B4729050E6E,SHA256=2438818D1F8C44E32AA20990ED9E5ADDACCE8E0495D96008A5B8F715DDE03A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683566Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:01.859{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4702331D70011B95ADE75C10471D885E,SHA256=3FDB5E3D18AE0053FCF6579061253750899201B815B49A9E7138F2109D92320F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683565Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:01.076{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C1D6004E84E95F2CC2922295A895262,SHA256=D52C629A210BF6178EAD082D2208A22F58DFEA424BFDC71AB861E4FAD948F654,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623545Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:01.780{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D747CB1E61DB387D0DCA82CD639E3D9B,SHA256=C0169598990F6F68DBCC97EC25B94D0881A6BF83032C3AC4283E61615075EB12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683568Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:02.865{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C674D80D22A6EFA5E8190A34FF3AFB13,SHA256=42580C061A42A98942CD13435BB0B8B997030453F47308153A11507FF5439B67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623549Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:02.859{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F41C5311DEEEC2B778733C66F62F65D9,SHA256=55EE952991045BBF2D8A9136928D3B7EAF72DE3495D6702FE3C861A35DCB0700,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623548Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:02.843{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F73ABD5A11A9FE19B63A6ECA0D54F080,SHA256=CF2ADF4F2A0D7CC3ADF61E27D5187103F0D2EC41141A204AC5F7891B49EE42B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623547Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:18:59.407{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51592-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000683567Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:02.221{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9C049E7FB398DE6BB974C52DEAAA187,SHA256=D313D89A4E0BB6F14B392D25348C33E32AC3889260F4A9F37E376E14C81C05E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623550Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:03.890{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE7F160AA20380743304608AC18AEB62,SHA256=D6891B28D471C8CF09BCD8335251B0CE00F39A0EF11B33F902CE0F05259479D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683571Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:03.866{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9BFF0369550107BEF58BB70DB54E100,SHA256=29FAAD312C2D77342B942719D04E261A06620495917D3725CB5DFE41C269D20D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683570Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:03.632{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683569Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:03.366{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E47358B1A24F5425E96FA498A4D150B,SHA256=FE6ABDF62D03163505FB1EAB9E252A6447580B3F644FC43A6B5A4563053E7833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683573Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:04.882{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6858279A713AA783D0A398403DAABE76,SHA256=65754AAC0D515EF183FCFD36E57F16F6358D776E6B0C86E31BB5B8FCF4C28159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623553Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:04.906{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ECC7EC014EF2F15BEB73D48D7F546C1,SHA256=07E0591DDBA34346D07BF18BD45EA83EC77AF96C0B4C59F7849A23602453BA6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623552Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:01.983{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51593-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623551Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:04.234{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B0A0A7B974397C69249535EA35808BC,SHA256=475A62A3B6595D5FA2FAA52487312B18296C70C84B635CAE0B94BF4FC1C77096,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683572Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:04.647{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F09FE96A4EC40A33DAB1F018EA095BA,SHA256=36604CFBB993BF4879762905B4DB1474244FEAD2A30BB6BC60409B2DDFBB619D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683576Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:05.882{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=740E9FFBC792C67D2D899F710BF122AD,SHA256=E8ED532EF6EF18B4C52F193F8154C7E958671A22BC3A2630ADC1454394967E40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623554Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:05.906{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4179B74A7161728108174DB17C7CBE0,SHA256=50970DB24D7E396C3994E55438651456B03B069E10A3276D330E1786A2FA2FC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683575Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:01.456{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65047-false10.0.1.12-8000- 354300x8000000000000000683574Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:01.032{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65046-false10.0.1.12-8089- 23542300x8000000000000000623555Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:06.921{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73F5A7AA0421CFB18204D25DF7187CD2,SHA256=5EF353ACB99EE1539541AF0525B6E8D41ECC772FCD5955F7E22F2AC5F3908676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683578Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:06.897{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=696DA6A8EB2C3CEB022FB0BEDAE9F29C,SHA256=BB091E665038451896AA8472D265AF1AC0E79524758FD11C1D6E19F26B9C24D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683577Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:06.132{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=483DB1F0ACFB51376E3D1297BE069339,SHA256=460751D63FF67175AA36F3F46898C6E15C35348B446C9580624E12C5688F1E01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683582Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:07.913{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9413CCB0172E7BEE2F61450BB1B4BAF4,SHA256=5B957CD01B7D0B7DE08BF74FA8D8AECF6499E66DD2563A9C708F5D5297E2C940,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000623580Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:07.296{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623579Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:07.296{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623578Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:07.296{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623577Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:07.265{97C2ED32-7730-60B6-1600-00000000C501}1204712C:\Windows\system32\svchost.exe{97C2ED32-00FB-60B9-095D-00000000C501}2216C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+3ef6a|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623576Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:07.265{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-00FB-60B9-095D-00000000C501}2216C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623575Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:07.249{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-00FB-60B9-095D-00000000C501}2216C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623574Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:07.249{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-00FB-60B9-095D-00000000C501}2216C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623573Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:07.234{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623572Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:07.234{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623571Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:07.234{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623570Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:07.234{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-FFA9-60B8-DA5C-00000000C501}1408C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623569Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:07.234{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-FFA9-60B8-DA5C-00000000C501}1408C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623568Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:07.234{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-FFA9-60B8-DA5C-00000000C501}1408C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623567Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:07.234{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-FFA9-60B8-DA5C-00000000C501}1408C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623566Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:07.218{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-FFA9-60B8-DA5C-00000000C501}1408C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623565Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:07.218{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-FFA9-60B8-DA5C-00000000C501}1408C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623564Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:07.218{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-FFA9-60B8-DA5C-00000000C501}1408C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623563Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:07.218{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-FFA9-60B8-DA5C-00000000C501}1408C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623562Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:07.218{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-FFA9-60B8-DA5C-00000000C501}1408C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623561Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:07.218{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623560Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:07.218{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623559Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:07.218{97C2ED32-772F-60B6-0B00-00000000C501}628676C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623558Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:07.202{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623557Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:07.202{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623556Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:07.202{97C2ED32-772F-60B6-0B00-00000000C501}628676C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000683581Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:03.142{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local65048-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000683580Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:03.142{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local65048-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000683579Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:07.304{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5AF5E4BAD13D6C02AB26680F973347B,SHA256=CAA9760876E9CA54A73A1C4680D194CB1B6AAF2689311B703FEACF1FF6759147,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683584Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:08.929{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D519BE07D479C301077546AC6C7332,SHA256=82664DD4DEE7732BF267BC5730350976AF4374AF9A2B7ACA89DFDCABEBD7807B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000623586Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:08.812{97C2ED32-7730-60B6-1600-00000000C501}12045924C:\Windows\system32\svchost.exe{97C2ED32-00FC-60B9-0A5D-00000000C501}32C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623585Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:08.812{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-00FC-60B9-0A5D-00000000C501}32C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623584Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:08.796{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-00FC-60B9-0A5D-00000000C501}32C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623583Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:08.796{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-00FC-60B9-0A5D-00000000C501}32C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000623582Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:08.328{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=199E09D4E85699DB602A432AC6DD16F0,SHA256=8B5B5FE90A859AE5872D040C230EAE86B9128F58A62974723D21A76EC2E29E49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623581Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:08.328{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86C8BB7E8A76EC1CE8DB9BB6182F7BD2,SHA256=035D1B3AC77531265BFF9A3C0E806887311FE77AD42305A7639E55FBF8B5F0E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683583Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:08.397{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59E798B7B75BCBC5979144569376FCC3,SHA256=67C8F03E801E9629563865BED2A60FE2C56FE7B5FB8E2A65B2CF7421EBD931ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623588Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:07.046{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51594-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623587Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:09.343{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B14677589FCBD4BD39A721963CF50D1,SHA256=41CB0391C7FC2A41AEC46B5594AA16786BE49A293EB753E97F526DC462C90CE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000683585Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:09.460{D419E45B-752D-60B6-0B00-00000000C401}632756C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000623590Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:10.374{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62201E470DDBD34CC1CCEB827D07A27F,SHA256=1B6210C91C7FCC09C593B25AEA9D6248DD9AB0581AD32D1C7D6E355DA110EECA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683592Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:06.779{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local65051-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000683591Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:06.779{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65051-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000683590Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:06.770{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local65050-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000683589Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:06.770{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local65050-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000683588Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:06.573{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65049-false10.0.1.12-8000- 23542300x8000000000000000683587Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:10.132{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7872C2B34C0831297B43A19390201AA9,SHA256=A6E47EE826F98970EE80F4F33BC9BF70E0DD965FEF53511175447D4868A56B01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683586Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:10.132{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=070B14CF76C8B004F3D856D1D1A401D0,SHA256=4D6C36DD89577644BE6ECC6F86804CF3AA3DC9BB1FB1197662F0263DDAB3D820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623589Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:10.015{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93FB4C84DDBC265FE8EB7834033CC052,SHA256=962EACFFF9A441650C38D8117DB6F6C4E9F91A06E8CA2AE023C2A44A3CFB9E8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623591Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:11.421{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47F81576F8EF379B6C7E8FD642D6E91B,SHA256=D27BEF7A7C5B61DC80F6D749B380BDDCD4C7B25F7FC90CB634675D60C3A0A200,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683600Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:06.884{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local65054-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000683599Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:06.884{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local65054-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000683598Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:06.880{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local65053-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local49667- 354300x8000000000000000683597Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:06.880{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local65053-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local49667- 354300x8000000000000000683596Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:06.879{D419E45B-752F-60B6-0D00-00000000C401}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local65052-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local135epmap 354300x8000000000000000683595Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:06.879{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local65052-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local135epmap 23542300x8000000000000000683594Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:11.163{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB7B49DD4ACB927DD9A2D92F5D5745A9,SHA256=7B3831B939ABF0ED1E7CEFA787F8E738E1C170D1118ECFB34783850112C5597D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683593Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:11.147{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19F060E8BACB38B6435E788F3FF14CFF,SHA256=870ABACA4CF39C2E5F6D2B2612303FE4AA062CEE864A775393C9E644C5444460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623594Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:12.937{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0D82E31FA17D695B76B364D5A97E8779,SHA256=FC6414080CE4236D727D8E4182907D6607AEED30D7324556916422F6C83E7F6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623593Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:12.937{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5722371BAFF49C9FE6CE097DFF5BA2FA,SHA256=E4589B9CB139569A55B755038EEA14DE55B7F85B260753E6527DD91429CC6B29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623592Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:12.452{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89674AF56194D1570353B31E78B22839,SHA256=E292F4417C074DCF58FE4E209B6165C3134E576EACD2A87204C67151A90112C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683602Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:12.272{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8798B8569A08791AEEADDC3F7ECB17B8,SHA256=77D1C66672FBAB76803029987F13B2A5C812C261D6D9112B4A3F95C36E776712,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683601Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:12.179{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A169B7712C0DEB7754E4FD52BF0566F7,SHA256=B3FA3E66B43DD36E21B839A13CC190EB281E3368A2356F30E90BDBA6E7A9B12D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000683621Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:13.882{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-0101-60B9-9B52-00000000C401}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683620Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:13.882{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683619Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:13.882{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683618Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:13.882{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683617Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:13.882{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683616Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:13.882{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-0101-60B9-9B52-00000000C401}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000683615Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:13.882{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-0101-60B9-9B52-00000000C401}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000683614Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:13.883{D419E45B-0101-60B9-9B52-00000000C401}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000683613Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:13.444{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12270831B0A6D0534233DBCE29E57B93,SHA256=CF148E834E574B2FBCF89EA2F362D8026325186198D1A9EE9B7A90A6806E53F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000683612Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:13.413{D419E45B-0101-60B9-9A52-00000000C401}70166628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683611Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:13.210{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-0101-60B9-9A52-00000000C401}7016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683610Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:13.210{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683609Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:13.210{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683608Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:13.210{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683607Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:13.210{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683606Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:13.210{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-0101-60B9-9A52-00000000C401}7016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000683605Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:13.210{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-0101-60B9-9A52-00000000C401}7016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000683604Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:13.195{D419E45B-0101-60B9-9A52-00000000C401}7016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000683603Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:13.210{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ADF6824A2463887FF6F62AE2BB52303,SHA256=73F0B5085540782E5E5CF2800C55D308F7951705C38A43778D507FC7113C113F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623595Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:13.484{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A987D57129D6A234E50E73475D69159,SHA256=C4932FFFD4F92489FCACC166C57D5A7D47BE574CF4A503D34F7B9F4367A6DFBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683632Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:14.897{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F4BFE49E93075D34E846180DC7B4AD9,SHA256=A79D9F09B9582FAE9EF36B40033216C74D72B1A8E5620393647DD4D051D6AC0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000683631Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:14.554{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-0102-60B9-9C52-00000000C401}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683630Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:14.554{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683629Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:14.554{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683628Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:14.554{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683627Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:14.554{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683626Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:14.554{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-0102-60B9-9C52-00000000C401}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000683625Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:14.554{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-0102-60B9-9C52-00000000C401}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000683624Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:14.554{D419E45B-0102-60B9-9C52-00000000C401}296C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000683623Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:14.444{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07FBED5C6DF1BB50169F9FA89F922CAF,SHA256=CA9E4978638E5A5D89695488A6974AA2055A52EA9735E1B2C49C292A4924405A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623596Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:14.484{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60EA069B7057B3D746767192F408809A,SHA256=05D4C3D83A8BB945B1D96383BF60D1D1F04BAF104B0D4EB4D9D717EDF9E3A31F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000683622Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:14.054{D419E45B-0101-60B9-9B52-00000000C401}63484672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000623600Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:13.061{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51595-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623599Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:15.484{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=818E277C23C3F515DBF9A47A9E338EED,SHA256=78C802419772EC5E1CB3CA1611A3FE98C7D84EE13A5445C24C4A0CCE3D317EC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000683650Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:15.929{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-0103-60B9-9E52-00000000C401}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683649Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:15.913{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683648Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:15.913{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683647Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:15.913{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683646Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:15.913{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683645Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:15.913{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-0103-60B9-9E52-00000000C401}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000683644Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:15.913{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-0103-60B9-9E52-00000000C401}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000683643Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:15.914{D419E45B-0103-60B9-9E52-00000000C401}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000683642Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:15.538{D419E45B-0103-60B9-9D52-00000000C401}61526788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000683641Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:15.460{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1485A3F8534A494BC7E82FE2316CC49,SHA256=B0F21D184B11E3C440309EB49A25B0A928B9BD47C4CF578B839773AD92E7A9E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000683640Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:15.241{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-0103-60B9-9D52-00000000C401}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683639Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:15.226{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683638Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:15.226{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683637Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:15.226{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683636Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:15.226{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683635Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:15.226{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-0103-60B9-9D52-00000000C401}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000683634Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:15.226{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-0103-60B9-9D52-00000000C401}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000683633Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:15.226{D419E45B-0103-60B9-9D52-00000000C401}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000623598Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:15.218{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72546456DCC6C3CB82D00AB23A35D30F,SHA256=8E5C193E52B4145CC8E9D12B2488689B574A5DB21D8994676C14C588743709B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623597Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:15.218{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B41E327456C65255425490A8F3C72244,SHA256=0037EEEC7BD6A3FB7F7C372A8A8BFBA35E2ACF023BBAD6F4F3263A1DA8043E57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623601Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:16.578{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80CE8A122E07F3CFAA171815760586FC,SHA256=2F36BF0E89FC2F48115D04000F083150B578045D5DDE4983C85E246ECAC67C3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683662Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:12.579{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65055-false10.0.1.12-8000- 23542300x8000000000000000683661Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:16.460{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5367799873BC647FA70CB6C1D3328CC8,SHA256=EAC4A1EA168B8ED06626F6DB165B06BFFFDAB83C9F62BB581E1869569AC20B6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000683660Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:16.429{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-0104-60B9-9F52-00000000C401}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683659Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:16.413{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683658Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:16.413{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683657Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:16.413{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683656Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:16.413{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683655Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:16.413{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-0104-60B9-9F52-00000000C401}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000683654Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:16.413{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-0104-60B9-9F52-00000000C401}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000683653Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:16.414{D419E45B-0104-60B9-9F52-00000000C401}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000683652Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:16.163{D419E45B-0103-60B9-9E52-00000000C401}27964328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000683651Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:16.148{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5F11B50B1CEEBBF447E1781E2ECDADD,SHA256=0D51A6B39D889ADA4E1D1FE4A9957D4CCEC8161E40D782414ECB4E054E928AF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683672Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:17.647{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=861FFF897B6D9D4E091DAEB230500491,SHA256=33E73206742D54E022AD8F9044DE6196B588C5B92E504EDD961807B73DC64B09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683671Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:17.647{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3292AD6C5B685742F2651B229585B4FF,SHA256=AA5AE7B628924CEBAFD9D083C7B0076DD3FB795E3BBAB7C6D4F1104586B874C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623602Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:17.624{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9733ECBD0763D5726A3F3E9D8C6B0A4D,SHA256=C6A72734107944E843721D95C7697461DC3B7E59479D249AA8323037C8744CEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000683670Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:17.085{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-0105-60B9-A052-00000000C401}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683669Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:17.085{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683668Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:17.085{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683667Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:17.085{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683666Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:17.085{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683665Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:17.085{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-0105-60B9-A052-00000000C401}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000683664Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:17.085{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-0105-60B9-A052-00000000C401}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000683663Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:17.086{D419E45B-0105-60B9-A052-00000000C401}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000623603Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:18.703{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8C16E217CF36E885683F9A15B814355,SHA256=EA672BDB1405D2B0F506B10BDB97A0765D71023ECE8DB71E3A3A04786D2A0D60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683674Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:18.788{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3779FA66341C9783462D415F90D635A5,SHA256=C61CE3C7F670ACCFF882FAB553C614A57A3D395270E3F168C2D50B38EDAB1975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683673Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:18.788{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBFE070AD7BF8A9DDE42775AD80BC1A8,SHA256=A84A3D63B4FD1BC84B054BAF8CD5750537BDAD661236ADAB3ABBAFBD94C8D920,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623604Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:19.718{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94B636CBEA16C335CA0EFCED095A63B7,SHA256=459076746C1B00E46D7AFFDF46549F4E8B09000EE56C3A917A8C65D8FA358129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683675Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:19.804{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAA446CEE7606F9E3FD1734F5C54F7A2,SHA256=E2054BDB0A45D0AABE465791600F10407DDBF3797D2BAE393576FD8D4D914C6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683677Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:20.819{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E393F61474026506FF494C9058F0960B,SHA256=EFAD91268AC555473E218CA6D678C4186B4248DA20B4BA717A71A8C1CE355727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623605Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:20.734{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24BE7E8E7FD588D9D0593FA1F4F08D74,SHA256=E7B4AFB314BB5E024464DCAB811137520C6AFB5508564F02A15BA8FC9739D8FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683676Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:20.538{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B584F4CBAE6034A5CFB98663B4B309C6,SHA256=916EDF5126D771C514E6509EBFB9124873BDF8DAEC169ACA31099D1E3A58A3FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623609Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:21.749{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ED8DA37563EE83261649CBE236BAB9C,SHA256=5D1732B157789811D186CADBED3A9CA976C08E888BEB2887E45750D1C9562A4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683678Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:21.601{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E9B86C6D1DD117F67DED77865058D69,SHA256=12F50DA4450C4FAA477E4B697301EBD34F20392BEBCE245C631C60CAF56D6245,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623608Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:18.921{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51596-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623607Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:21.109{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF5AF000CE04258DC51D6622DEED8E43,SHA256=86AA6F83753728CDA6FB89D39CEBBBD18CBC7FBC3232638EC4F11191029849DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623606Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:21.109{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72546456DCC6C3CB82D00AB23A35D30F,SHA256=8E5C193E52B4145CC8E9D12B2488689B574A5DB21D8994676C14C588743709B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623610Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:22.779{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=685D7C3DAC07076C9AEE8A3B7E26E0A8,SHA256=D5B5993029415F7437C0FBF70D9E0BBD26CF13E81ED069408BCD9203ACB6B5D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683681Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:17.673{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65056-false10.0.1.12-8000- 23542300x8000000000000000683680Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:22.673{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D11227E6514CB58A79DC5F4AEF5000D,SHA256=C02886CF72743F2F8E49E664936EC9EF60415A9F78451BDAEB8D4CCBD85FA551,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683679Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:22.048{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53DD7568D8C0F61AD95B87AECC38BABF,SHA256=D347D9B5E6DB0D636E36EF9473B02D5EDE91D1154172264D02EC847A114BE483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623611Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:23.810{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42E0ED95090E2D364B1547BDA16E2E29,SHA256=D47FB70EA35034A02C7F1417582B21213E6476AFAE056B31C1A6F31463BF7CA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683683Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:23.751{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=082AC408EDA1CFDA24D5371856A29E63,SHA256=BEDB107EFE1BDDBE95CF8768B06D35C1D2C15825DF743E68ADEA2BF281D6842D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683682Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:23.110{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84EE36EB03A4399BC45F81A52C26602E,SHA256=B6E7A06C85A34D680067CE0633C6D78237ED0106EE56E10C2BE7CFE1EF771442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623612Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:24.810{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E78574C5DEE542CB0BAFD032D90D6B2,SHA256=74F36028AAFBFB61BA616BA8E44EF5A90345CE239A34A2DF078AAB1565B043BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683685Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:24.954{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BADF699FD66471FF5D2B848F9C88FEA,SHA256=AF7C8FFA6F1453469A60702C5A1747A7DF73C71A1C2E9989A11B4E025A7036C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683684Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:24.110{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEDABC654C0062E14FC149AA84980526,SHA256=123CD0B56A0DC73EBD58CFBBC873132D67513F509DA52C44B823A4F9EA53E3CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623613Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:25.826{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94976416B871CE0E43F6633ABDDD1773,SHA256=E94E86D1BEE4A4F26D54C0E08B1154383D48214A3B361FDB1C28730C61AB0E19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683686Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:25.141{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9318D56A54D2073646DEA62D0BF8C207,SHA256=2511CAE2CBA1025285C36534AE372B0B7102D4FC5CC221010A206002C3ECB559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623614Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:26.826{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0D2CCFF5296384B6EC7008042FAE64C,SHA256=4635E63E11EE8AE7D835E8D2D27118934F1DE9DCA8AD637BE0647CA2014F5257,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683688Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:26.360{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B68A50EBB0833CDC4622D9C7A419178E,SHA256=27E5DD4A4B3E4806867788ADB954A82F3122A49EE1784BFA3EB9F58BE2347B42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683687Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:26.298{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0C6C895775AD14B4CAE5FF12C392C33,SHA256=82B853A161721039A9AFFC626B6591228195476747BF3B38C5FBBAA12ACE6FC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623618Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:27.826{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3C9C817ACF8A2275DA78653D33C762F,SHA256=FA221FFF6D622B6EB841B5BD60B3EED2DB7C61527A0178A893375B766E035661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683690Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:27.501{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9D4817CD1A4FE8C060B2CEA545302C8,SHA256=D51FB6F83665B124C0BCF5B8F90274330F29416E63E4224E5EDF81AA29492264,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683689Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:27.298{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC6B67BC4D56706E40675C6DE3CB7AF2,SHA256=FC236064E571A4F57347F16FB1B78327FE31DAAB2F71AE2CC3A633A5CB20000C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623617Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:24.903{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51597-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623616Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:27.232{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0CFCDD7ECCEAC70EF4D70975AEA405D,SHA256=FAF209E2FBCB4F4E446FD5A3B2D4F6A2698A30410A08FE03EA942A38AE65041A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623615Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:27.232{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF5AF000CE04258DC51D6622DEED8E43,SHA256=86AA6F83753728CDA6FB89D39CEBBBD18CBC7FBC3232638EC4F11191029849DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623619Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:28.841{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CECACAC7071A2C119AF962B81CB2F3F,SHA256=A9B31D17DE6090106C0E05C937A8859497425252010CAD442D603A7580724732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683693Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:28.641{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43847CAC8795F7B5C524961D081AD480,SHA256=EA3E9BB4F913558A69717869F26B4C76150082AD26873B085DB97C21C08713D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683692Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:28.516{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057235BFB938AB621854ACDA2F7D4A44,SHA256=4BC6A6137F046A1FC2C0AA622D51C90AEF187A7CEA8767F4C59392405E9D0E34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683691Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:23.588{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65057-false10.0.1.12-8000- 23542300x8000000000000000683695Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:29.751{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D441632E2C535321E188A7309D1A89DD,SHA256=51520A71814EC07D676C6CF4E9760E71E9F779CAF16D2CC3BB92605C4B3184DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683694Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:29.657{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5808FA5E6F02507CD7CD5978AB8ACE71,SHA256=32A69818089FCDE5308C858CE0EEB8EDC0F6E1DEEE529A145FCD0386E8CA84B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623638Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:29.841{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BE5B499BB06FBE17A96BE4D53A4BDDD,SHA256=ECCFC603B002E1D45A16C441CDBC652BC17204343839588C40E1594FE7CEC215,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000623637Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:29.404{97C2ED32-0111-60B9-0B5D-00000000C501}3636C:\Windows\System32\Configure-SMRemoting.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000623636Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:29.388{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-0111-60B9-0B5D-00000000C501}3636C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623635Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:29.388{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-0111-60B9-0B5D-00000000C501}3636C:\Windows\system32\Configure-SMRemoting.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623634Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:29.388{97C2ED32-7730-60B6-1600-00000000C501}12042728C:\Windows\system32\svchost.exe{97C2ED32-0111-60B9-0B5D-00000000C501}3636C:\Windows\system32\Configure-SMRemoting.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623633Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:29.388{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-0111-60B9-0B5D-00000000C501}3636C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000623632Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:29.388{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\System32\svchost.exeC:\Windows\System32\NetSetupSvc.dll10.0.14393.3503 (rs1_release.200131-0410)Network Setup ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationNETSETUPSVC.DLLMD5=4B455FA2A15BE4C278D0D655A7EA9543,SHA256=1C04ABE14400CC4175704B08D008454820BBF14BFECE1934A82756A6037E681B,IMPHASH=14F8BB5E943EA23F79CC3EC6B8C493FBtrueMicrosoft WindowsValid 10341000x8000000000000000623631Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:29.373{97C2ED32-7730-60B6-1600-00000000C501}12042728C:\Windows\system32\svchost.exe{97C2ED32-0111-60B9-0C5D-00000000C501}900C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623630Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:29.373{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-0111-60B9-0C5D-00000000C501}900C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623629Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:29.373{97C2ED32-0111-60B9-0C5D-00000000C501}9004840C:\Windows\system32\conhost.exe{97C2ED32-0111-60B9-0B5D-00000000C501}3636C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623628Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:29.357{97C2ED32-9094-60B6-BC06-00000000C501}9441324C:\Windows\system32\csrss.exe{97C2ED32-0111-60B9-0C5D-00000000C501}900C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623627Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:29.357{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623626Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:29.357{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623625Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:29.357{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623624Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:29.357{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623623Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:29.357{97C2ED32-9094-60B6-BC06-00000000C501}9441004C:\Windows\system32\csrss.exe{97C2ED32-0111-60B9-0B5D-00000000C501}3636C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623622Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:29.357{97C2ED32-9D3E-60B6-7A08-00000000C501}33644832C:\Windows\system32\ServerManager.exe{97C2ED32-0111-60B9-0B5D-00000000C501}3636C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1459ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1454f0|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+fa3761|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58dd95|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+559c06|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+558e46|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+70e8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+c11a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+7ce0 154100x8000000000000000623621Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:29.355{97C2ED32-0111-60B9-0B5D-00000000C501}3636C:\Windows\System32\Configure-SMRemoting.exe10.0.14393.0 (rs1_release.160715-1616)Configure-SMRemotingMicrosoft® Windows® Operating SystemMicrosoft CorporationConfigure-SMRemoting.EXE"Configure-SMRemoting.exe" -GETC:\Windows\system32\WIN-HOST-236\Administrator{97C2ED32-9095-60B6-4298-3A0000000000}0x3a98422HighMD5=59EF03A3CE316E02EC6C916E86715282,SHA256=E26FE2AD8452293B4B1E957B21371693996941A4D3D2371E7E51A35892C59418,IMPHASH=C13E4B07CF35D56AB40B9BAC4947EC02{97C2ED32-9D3E-60B6-7A08-00000000C501}3364C:\Windows\System32\ServerManager.exe"C:\Windows\system32\ServerManager.exe" 23542300x8000000000000000623620Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:29.310{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=728CFC7ADF61ED979290BCE628D3F7BA,SHA256=B767C19AB6F44F59FA22F24D197334803B886AADD4FF1A438C7092AA336752C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683697Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:30.923{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6BD378241340D2D6E52F60BCFEE7DD0,SHA256=03B375CC0F71DBC0522F236855CA8EABCC638085B0C83AA98B4C17C7C41BC13B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683696Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:30.751{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C184528F6838FE7926DF8A4CBCCBE8,SHA256=451319DAF00A0D7BD0710B64893B0092789369A4B6204C655D53828A2025828E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623654Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:30.841{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70CBEEFF57512FA41EEB7BE2C17D6198,SHA256=A151E30F8BCE08B557BFA80245EC2092995F996CF0068C40CE81B6B02552252E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623653Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:28.268{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local51598-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 354300x8000000000000000623652Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:28.268{97C2ED32-0111-60B9-0B5D-00000000C501}3636<unknown process>WIN-HOST-236\Administratortcptruetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local51598-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 23542300x8000000000000000623651Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:30.466{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=12E96E57D53186AD2A817EC802541080,SHA256=327FA6B434E5D08363C9FAD9EB9179639708CA9DF3EB3A4D1FECB98700403416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623650Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:30.466{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0D82E31FA17D695B76B364D5A97E8779,SHA256=FC6414080CE4236D727D8E4182907D6607AEED30D7324556916422F6C83E7F6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000623649Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:30.419{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-FFA9-60B8-DA5C-00000000C501}1408C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623648Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:30.419{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-FFA9-60B8-DA5C-00000000C501}1408C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623647Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:30.419{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-FFA9-60B8-DA5C-00000000C501}1408C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623646Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:30.419{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-FFA9-60B8-DA5C-00000000C501}1408C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623645Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:30.419{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-FFA9-60B8-DA5C-00000000C501}1408C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623644Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:30.419{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-FFA9-60B8-DA5C-00000000C501}1408C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623643Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:30.419{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-FFA9-60B8-DA5C-00000000C501}1408C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623642Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:30.419{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-FFA9-60B8-DA5C-00000000C501}1408C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623641Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:30.419{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-FFA9-60B8-DA5C-00000000C501}1408C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623640Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:30.419{97C2ED32-772F-60B6-0D00-00000000C501}788716C:\Windows\system32\svchost.exe{97C2ED32-FFA9-60B8-DA5C-00000000C501}1408C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000623639Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:30.388{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A0CFCDD7ECCEAC70EF4D70975AEA405D,SHA256=FAF209E2FBCB4F4E446FD5A3B2D4F6A2698A30410A08FE03EA942A38AE65041A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623655Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:31.857{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB8461045F0842723AC7C3DDFC2D7EFB,SHA256=FDFA3DFE69812EECA877A02FDBE4EF01A6E21C6B11080A9C236C50807C69BF91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683698Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:31.766{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5377F25B5285446DB7A783337A5359F5,SHA256=6CD41A10AEC2875C494AD4CEFBC9D4DBDD4127F433776D31D97AF16801E356B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623657Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:32.857{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2682A0B82AB7E4CBA6A5B30D008C11B9,SHA256=20522137D123CD86F2AC0234075FDD3E90557145260BA219A0157681252508C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683701Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:32.829{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E963B457A2A3F111CD9C11A886FA587,SHA256=1827045DC8E42493ED1DE9F2B598C710C61E1E0803808573137583E2799B31B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623656Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:32.091{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6C8F8611FAE1D96C5745AC6787BA89E,SHA256=0F86A8D3982EC432CC650CA880BB4931E74DB3C0290298C9BAFA0D640360F364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683700Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:32.735{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=950C24BF4ADD2B256DF5C2B6EFB5797D,SHA256=4A413EAAF60599F058220077688479FE28899B7D59CC2426EE3A07EF90DD4B73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683699Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:32.016{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8751ABBFA4976C5AD35B20511D2687AD,SHA256=555E0BF4EE3CF62F64F3BEC62E6899B0FDC27546EFD17449F671FEE4CD46280A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683703Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:33.844{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B29311F3A0C93DA1CBB78AB5A58B16E4,SHA256=1DC02565A51F16C45E0DFBA08805CA9E8A1C9D682D18C56A7F06E8F553805D4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623659Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:29.950{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51599-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623658Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:33.873{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC0D4978046FD182D93D287D4E7AEE23,SHA256=AFDE2BCF115E1C7AD270A79585BA0DFC776CFB608C9C08D596DEED5782885C0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683702Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:33.126{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BC55F9A71F4F68356AEC7009405FB78,SHA256=01F1FF5429450E501EFC34127E06DAA247C811F16D25646CEEBB3EE63D1B668B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623660Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:34.888{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9DD635768796B5976169CC2E02AB109,SHA256=B46E6AF733E8AEB67AC8C0470207743C1A2573FF693FE66A413429D4AD128830,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683706Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:34.923{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07BBCCA302273DA6401FE39C923CA70F,SHA256=69F6D2B37A615C4C3B69CD7806D5865CCE4C8346ED04B972AEBE84E545F6AF66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683705Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:34.360{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D8D95DA2212DB5129054CFDBB5A4D26,SHA256=505B55EB70D12DD9E366C8DF896F62D56AD1465D4E062CF2C8CE855BFE991078,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683704Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:29.526{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65058-false10.0.1.12-8000- 23542300x8000000000000000623661Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:35.888{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86D86DC5D1F2025172BD1E860DF720C2,SHA256=5AD690BCFD4F6A0B7A3B0055C47EEE24CCF5284C3F9D454D7AA05C08CEC436EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683708Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:35.923{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D29FEB520CBF64FBF8C910AE6375FF75,SHA256=EE633DB7FD8C0FE141372E136941CE6FF7A485CCF2590DBC09CA449115111DA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683707Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:35.657{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB5CCE9EF96F0C3F927F0716F02BBBDD,SHA256=C97DB3D177A9714EE2A22DCBFA462199B09B4F40EDF6441B61F778F2A2696681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683710Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:36.954{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F22201851E8C81ABF95498EC06A7912F,SHA256=9CB230A51AAC84B77E26E89F4891AA0D6DCE828F2425985803BD4D9E69D44BB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623662Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:36.904{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=347226E26CC28A542E5AAAC682FF34FB,SHA256=819FFC83F990C66A570952BA174ECF7F5A739800203B38BC2C3CA92FCA48C24C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683709Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:36.798{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9D075A54E65B7436C57BB52EDD6CFA6,SHA256=FE51378F8B799A493DFBEE1E020385B59B733B318FF093CCEA069AB451756A07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683712Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:37.954{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DE91D782B5D6639795C5171E95BF9EC,SHA256=745D81B2BF17C9AE1F31AF3268CDBDA53AA67674D26E041CF78FEC53A250366F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623666Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:37.919{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B99C78255A6D91589CFF98910076FAF1,SHA256=D9D6E7CF27A43303670FF998D311CC391E5DBDCCCFB3B41F3E9EC57489DF022E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683711Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:37.907{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EF2D3C0BAE8DB8E1F313ED2FA78729F,SHA256=1D590EA2B57A62F95B7893BBEDAADC53F637A6EFAE48336AE8DB3ADD271A1D0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623665Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:34.950{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51600-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623664Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:37.232{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF9CEC37343C0135B9C808618E4332F0,SHA256=5DFF175E5DFED14A8B75E3B252D772550C9377E0205DAB65626CDCD287609123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623663Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:37.232{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16FD5E14BC28A93AADE2DCA7F8807132,SHA256=46BE58C258757AF0BB4C477998C8E1423EF2FF35DA804EBDDB0D012D4379BABA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623667Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:38.919{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9C032EC32F970EEF744D6BF3BA77F46,SHA256=4B84A2B8BE1D6FB102A1552B91E5D9AFF4DEB6CA3A099CC81DD9F9B0362A0679,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683713Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:38.969{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39D8EC60350AF037E1ECD2FC7A4C6FD6,SHA256=C7C72E83A35DF7AE7FBD38804B835D3BB993A7AA2A3183B073A0A3BB05780215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623668Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:39.919{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9238E2496682EB988EDCEAA5AFD049FD,SHA256=F90284579EA90F3032644873D29DB0A0C083F4AD0173A90667F55515B7A1DB6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683715Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:39.282{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3E347FED307494F437B711B2433DAF8,SHA256=5B17F8A6F9B5C0DE452AE3BF960D91C64DC2E45927CF0F385800073BF7AE221A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683714Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:34.588{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65059-false10.0.1.12-8000- 23542300x8000000000000000623669Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:40.966{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B54BC420799250DE84CBA96ADFF8F026,SHA256=646DBBFCCF1C1505B6266EE755AA451B5E810F7286104E16C584DE81B0165F08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683718Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:40.438{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C06C8A59D6EC8C5C0EE0402D1782B898,SHA256=37506E46CF96A777A5A722EEDAD92567BA4B133C8FBE744349D5798B455D4EF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683717Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:40.266{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A5E441E24CEC5D6433D0E0B43D29D3C6,SHA256=2754DC5374866FAD3958747584CCE6B6A68C9C94AF48F5BADC4531A2661EE7AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683716Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:40.001{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A251F8E90D417BE10ED402EAACB2BECD,SHA256=DE4DF9A9F791AFB7BACC74A917EFA3E09DB961003A7F6BF2EC4A23D61C7955FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623670Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:41.968{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48FE897BDF6413E5A70525F3138C4AEE,SHA256=1B74899AAD613105AE22EE884D5ECF7C9FA7D8BA38B39D0E7A682EA2C2311FC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683720Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:41.454{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD804D754676294CD9CA732132369F52,SHA256=CC4A7BD9F0B54B61DFDE26BED30DFBD0ED7F214F0670C4CEB9F2993D4D3888A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683719Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:41.032{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57E6EE7CF170455049CF2EA8C5D6C29A,SHA256=6165317D21ED7C63E93ADC30310911A2D0B6A8CA935EB52AB03DB3E5E8C2513F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623674Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:42.968{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F11CD27FBA155F648BBC14A243DCEA8C,SHA256=91DE7AB0C552934F1DFC9B514180A347266F08F15600CED6A7F7B7681393E061,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683722Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:42.722{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DA9067166F0E298D22B213D30B015BB,SHA256=7F82D80F8F1DA631BF4DC3907A3B1B40C86D351B224F600C440515A0ACFFD018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683721Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:42.034{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF2186DBE913C8613C3B8A95289A9E77,SHA256=0AAA52C51AFDB52806108A633DC454D5B8BC0BA68567787579113D9427740F46,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623673Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:40.092{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51601-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623672Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:42.296{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D62D73F58C8B19507B2273DBA02CB09,SHA256=4D0A1F0D332628E31905A5F271804D096111BD3526BE5EF02811A0093A57FD39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623671Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:42.296{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF9CEC37343C0135B9C808618E4332F0,SHA256=5DFF175E5DFED14A8B75E3B252D772550C9377E0205DAB65626CDCD287609123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623675Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:43.968{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E20F4375AB852DEF08F37BBF9578EDF,SHA256=7B1902D1B3658BE8F2BD6C31F86DC19C5DF74238E4A0F53D5FF3FD8497991DE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683723Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:43.050{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656CCB8BF92FA429BBE68396EB43EFF5,SHA256=E33B6AAD26B82DB50D185E3EBD93DB52BDCAECC49D7400A4FC8F2A675376D61F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623676Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:44.984{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57A4E5B886EBB67ECCA84C049379ABF6,SHA256=8B1C19DAD8D2497F336FCE5FE4576741E63E3FF0F74C4136318726C74D5BD203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683725Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:44.175{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F91BA11CF1469E6E560E5ACE22CE880,SHA256=12AF750D6811C88D7B48467C358B708CE6D67CF4748726BF9C48EB0B308A4B9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683724Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:44.065{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D97B09B2396843F115E70CDE38D6FCD2,SHA256=38A7F4F56C49CED6A1918A3F171B1F4D911896A1746CB3D0448C4C1C8D277410,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683728Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:45.362{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B258691F4055D7381FE9BB438D8E327,SHA256=9445D4DC06DE09DB6E4B7A772C4033F9CE222FA949577F649834ED84765A6938,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683727Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:40.575{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65060-false10.0.1.12-8000- 23542300x8000000000000000683726Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:45.097{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B019F46D4E5AC9DBC10D01D73EE8B935,SHA256=439CC56F7DFB9DBC92FA87CB71DCA264C7D402D8F71F2A700C58FB142F6A79C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683730Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:46.518{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FF4492216527A63F97FDB6348C102CF,SHA256=D09B480CCE75CDA57A956F757626F3C8080D2B36AC9F6F8AE8BAEE60C5572FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683729Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:46.112{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BCD687112278F8A191226DE8953BED4,SHA256=59CA949CA8FAAF2B4B15C64FA7AB7C9323F447AF3F1FF8A61DC817B78CEC005A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623677Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:46.000{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9981C7E825A4646A18D109BDB3869ED,SHA256=CE45A56AC2B7A24F16739EAE49F22DB9BE5961E6523FB41769CDE31DDB8BBA5F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000623687Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:47.921{97C2ED32-0123-60B9-0D5D-00000000C501}57962564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623686Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:47.781{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0123-60B9-0D5D-00000000C501}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623685Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:47.781{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623684Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:47.781{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623683Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:47.781{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623682Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:47.781{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623681Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:47.781{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-0123-60B9-0D5D-00000000C501}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623680Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:47.781{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0123-60B9-0D5D-00000000C501}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000623679Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:47.781{97C2ED32-0123-60B9-0D5D-00000000C501}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000623678Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:47.031{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE97B8BF4511D970AFD5BA03CFEE5BF3,SHA256=7B2D700C189B3DDBB77D97DDBAD2F21407853B922022381B39953ED4B7F374A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683732Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:47.643{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C38799022F6B0EC4B2FAFD9AF9E6C120,SHA256=8265C0DFCEA001DABFABAC9FFFD4CDB9B788B6BB59D499E6D40574C73F8D0FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683731Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:47.128{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=730CCC974331CDBDF34396B432E5CF68,SHA256=C23AAE27F054FBBA9A2BDA9C03D58F086C4BA964025A37522A199E405ADDB84A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000623699Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:48.593{97C2ED32-0124-60B9-0E5D-00000000C501}17285540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623698Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:48.453{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0124-60B9-0E5D-00000000C501}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623697Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:48.453{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623696Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:48.453{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623695Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:48.453{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623694Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:48.453{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623693Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:48.453{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-0124-60B9-0E5D-00000000C501}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623692Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:48.453{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0124-60B9-0E5D-00000000C501}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000623691Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:48.453{97C2ED32-0124-60B9-0E5D-00000000C501}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000623690Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:48.234{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F30F9678F9A70AC18E388746AD56AF0,SHA256=5A12F71419DC094506009DFF58DB18978FD5FCA7B71794A76FEC37F039047943,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623689Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:48.234{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D62D73F58C8B19507B2273DBA02CB09,SHA256=4D0A1F0D332628E31905A5F271804D096111BD3526BE5EF02811A0093A57FD39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623688Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:48.046{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4C6719CB6C07C53A5111670EF354F6,SHA256=14BE69BDB4F7D898631DD3951CF742A344AD694E37148104E48E0B2B200C6060,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683734Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:48.893{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8E16919E353CB26B633CD9BDB89FECF,SHA256=E2C74ADC64BF5390DAA3996BF242CC7044E5A4A6B21A598C274CAA02F48F3CF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683733Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:48.143{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EEC94D9EFDE1C6540CF01A9028DA28F,SHA256=190C1A5F1E7841C37BA077D81067944588CBE7293E71EC92AED126088B26927B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683735Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:49.175{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3F8B27ACAF5775038AE59B4F91AD408,SHA256=2F605F307B8552B2C15168A6915758D5C981E1CE78BBEFD9A26123AD025AB8B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000623719Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:49.796{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0125-60B9-105D-00000000C501}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623718Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:49.796{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623717Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:49.796{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623716Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:49.796{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623715Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:49.796{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623714Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:49.796{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-0125-60B9-105D-00000000C501}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623713Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:49.796{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0125-60B9-105D-00000000C501}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000623712Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:49.797{97C2ED32-0125-60B9-105D-00000000C501}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000623711Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:49.453{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F30F9678F9A70AC18E388746AD56AF0,SHA256=5A12F71419DC094506009DFF58DB18978FD5FCA7B71794A76FEC37F039047943,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000623710Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:49.250{97C2ED32-0125-60B9-0F5D-00000000C501}60365728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000623709Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:46.093{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51602-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000623708Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:49.125{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0125-60B9-0F5D-00000000C501}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623707Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:49.125{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623706Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:49.125{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623705Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:49.125{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623704Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:49.125{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623703Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:49.125{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-0125-60B9-0F5D-00000000C501}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623702Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:49.125{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0125-60B9-0F5D-00000000C501}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000623701Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:49.125{97C2ED32-0125-60B9-0F5D-00000000C501}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000623700Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:49.062{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D07D01C87DF6851C2500914077BEEB59,SHA256=BC34F051E85AEE4E1492D3E4A53289F5118C2B34E8259529C150082FC3C1FBD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683738Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:46.559{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65061-false10.0.1.12-8000- 23542300x8000000000000000683737Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:50.409{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17D45D894683898385213D87A7D62A88,SHA256=E4BD609B6F0356FA847DE8F3DDF46E180BE7957BC6B9E9AB8F763D15174C0993,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000623728Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:50.468{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0126-60B9-115D-00000000C501}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623727Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:50.468{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623726Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:50.468{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623725Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:50.468{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623724Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:50.468{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623723Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:50.468{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-0126-60B9-115D-00000000C501}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623722Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:50.468{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0126-60B9-115D-00000000C501}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000623721Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:50.469{97C2ED32-0126-60B9-115D-00000000C501}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000623720Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:50.078{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=415FAA70D182D3ADE70EDD32F52C1083,SHA256=ADD395A98B85FF2FE38364F4C80FCA23FDC7E0B992728D2FEE745D764A2A1833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683736Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:50.268{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB92DB51086E35BC7E47ACD21AE8E1F3,SHA256=B8C55CD2F1C528852A79AA95B744BBF8B2D6946EE60D72465BE77EBE5198285E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683740Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:51.565{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8268845FC7999ED4C9B60A3472ECE918,SHA256=717173EA111B715F7D49B6CDE5AF6C0508CA8E51FBECDBB0BF7E56003068A4FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683739Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:51.409{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CADEEF30AE74C2E602185E0239C07C7,SHA256=A5891C9A2B0C56ACBCE26E934B88A50DC197B45B25801EA10C248F4D775C8ED3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000623747Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:51.953{97C2ED32-0127-60B9-135D-00000000C501}5043916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623746Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:51.812{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0127-60B9-135D-00000000C501}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623745Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:51.812{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623744Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:51.812{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623743Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:51.812{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623742Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:51.812{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623741Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:51.812{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-0127-60B9-135D-00000000C501}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623740Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:51.812{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0127-60B9-135D-00000000C501}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000623739Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:51.813{97C2ED32-0127-60B9-135D-00000000C501}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000623738Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:51.140{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0127-60B9-125D-00000000C501}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623737Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:51.140{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623736Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:51.140{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623735Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:51.140{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623734Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:51.140{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623733Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:51.140{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-0127-60B9-125D-00000000C501}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623732Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:51.140{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0127-60B9-125D-00000000C501}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000623731Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:51.141{97C2ED32-0127-60B9-125D-00000000C501}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000623730Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:51.093{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=208E9EC6A507C59B6EF0F0BC0C302F52,SHA256=C8A22FB51C9D2717A1A1605D074F991AFBBF437001CD0D1D9935BE0D2DC12787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623729Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:51.046{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87A76D6D821A3911CC933A613E2DDD8D,SHA256=27E979F8B49960F40726F0AD20C140E0D145F3ED6A44FDDA03D819A0962D4335,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683742Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:52.659{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82DE99BC2FBA09BC3BD8A7F0DF34A612,SHA256=62A04F511954E4BD8F81D84CA6564FF5318F5578946D40F549986ABF60F16950,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683741Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:52.425{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AC4FA425D9EF53577592FC778D4C935,SHA256=8C8D46DB3FB9583853EDDB952319AB0647E994AD155FA301EB613023E5E95DE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623749Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:52.375{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEDB1A96BC5EDE16BBF2790DEC8FE5A5,SHA256=C1B38366B76285E1106E1B259990022D455A3F52B6A51F3CB3E7A3B953E9E39B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623748Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:52.109{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C328078B255274524CB209E63006EA2,SHA256=080D9C96AC6D54B510D460B76084B7B6DFB552A7E2638E08C831CD550EF6B78F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683744Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:53.768{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B60E638F5D11949041C265BA1E0EE641,SHA256=E0CFB48F818A8297F9CF516862E0C167EA6CE038C3893CEAAEB599B336BF076F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683743Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:53.456{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB839B4A48222809958CD7E16988DC60,SHA256=CB49A83476DA4EBD95818ABE03C82A76D24DE202FEAEB61E8B3DCB7AD4BA8ED9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623750Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:53.125{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26A8DFB0D20FD5E92CC1F902FDAF3881,SHA256=EEB40BED355DF2F0F5731601E2EE7A9575C91242777A10176EAC1116534F43F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683746Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:54.972{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5230260CBED402BA01F13B5AF15F4BE,SHA256=6C425F8ACD2F2509F3D04A480ED896B40FFCB2B10E23AC742958CC4B2321D87D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683745Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:54.472{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33B828E6E3A297E53D71BCB7EFA4BC3D,SHA256=5952521ED52F60A9E1F222038CDC2EC58B22BCBA39F886232F2461F6B6D1E2C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623752Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:54.390{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=092E181242C81D9BB2D7746C46BA08DB,SHA256=7DE496D6DBA875099B3C6155EFA09ECFD676AB7CAABD79ED1C48EF9AE34AFAD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623751Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:54.125{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90A42148CFD67393E3729DDA33228A6A,SHA256=68428E0D6FA535C90F6BC97800C0A3C0B2373081F8B7B2B13FF002E90A223A8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683747Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:55.518{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03C37218F59507BAC32D6D079737331D,SHA256=BB151567615834786B15D2FB8EF4F5B5ACC57641D329C33CED58C43C8B7E4BA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623754Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:52.096{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51603-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623753Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:55.125{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=733C88F979E3B555482D5ED95A3597DF,SHA256=55E4764163B4897198C0FE37EE6F3605AE1538994260E240157B845368D58BFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683750Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:56.518{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=010B4A55ED602BFA17378A92D08A37D1,SHA256=AFAF9169A3D9D71C2EEE81D5DDD733D5B94B35AEADCA5D22D2E610EF008DF545,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623755Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:56.156{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47A40596D6B0AF52CEE2A0A0E0993CAE,SHA256=5F63694FBBAB152309987673F5830C2081F160636999934FDDB27D7FC52A1D9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683749Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:56.206{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F335073D3CF5A444732819421AE050B,SHA256=EA55421E9B6F51790E920760FFC5F0A5355F576B4CAB14B97DEAB1B602C77AAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683748Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:56.034{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=35F64E9464A485E8DC4A06111FA85311,SHA256=B198947E93A877D653CAD12AEC60A252C331F437DC6DD6C2E59B99BDD0C80D9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683753Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:52.590{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65062-false10.0.1.12-8000- 23542300x8000000000000000683752Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:57.534{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55F6A9022E60ABC7902C6AADF84CFC98,SHA256=B2FC9BDC117B84812A14E8517C73B38CC5EE1975D60B6A1A3F89AD44364362C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623756Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:57.187{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BD9AF58A828B8C9EC69CE33D1B9DA03,SHA256=1E129F7186F8C75CEC365973E2F46ACB2353D969E6886EEACA2D6CBBE48530E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683751Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:57.331{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5437626F4B49A1412650E8BB2B11E55,SHA256=513A24580970DA56A757402B52AF6F581CBC835ACADC751D0E386F2B0CFB71C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683755Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:58.768{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AB746D76083E5719DDA75C1598C6603,SHA256=9477546602271F6DD530328E74993BC310C2848F575899CD9A2BF0674DA70E14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683754Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:58.534{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D8CB4AA22C8AB80EB7461C798E2FF60,SHA256=CFE305DD410F6F13EC22285665959B4D75C12BB9F51EE4A6C62F2A008E7801BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623757Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:58.188{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C534CA2CBB99F8DD28FE934F9AD3990,SHA256=4718DB6F5E9D9A910AD4411E9DEDED9CA289471B7F72F0DAE8ED97381673E09C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683757Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:59.878{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57D097F890317932B89BC7502F174AC3,SHA256=1939CEEE515885E6B12DA1406B756546790F6DA66822F69C8CEECA7D1CBDE2C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683756Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:59.565{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=691B54171326FD71F76D31E25BD6C8F3,SHA256=111448AC95E6E816463B0439B66864215FF2D8E232904611410AA27999B7D720,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623758Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:59.201{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C358C532C88875DCB1D68715F905CDC,SHA256=640AC1E250776F4B4F02C1319622813E635CDE480BBAA5EE64AB2CEFD03D83D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683758Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:00.581{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E75E2424474C22A9CB1132B665657C7A,SHA256=4DFFFCFBA816C468A697F939C7E8634997CEDB5D05F729F6CFCB256807CDDD56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623762Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:00.563{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623761Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:00.204{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37353C45AFB9406140D9CA945BC8FB95,SHA256=24327D072DA393C546A57283EBE6DD30C37F555BDF07D710686353DE54C787D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623760Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:00.188{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AE59A5387226BE3F5D0F6B7AD3547A9,SHA256=4902F7D7E6EFFB39CC3CB89547E2B9703ADCB21A36BD55358E1DAEFADF7D310C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623759Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:00.188{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9139321EF8648831B5B030213F15CA58,SHA256=158AD36FF94BF47EDA312140D6FBDC80CF279AFB1FB73A07DB078F0DAC7FAAC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623765Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:01.563{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AE59A5387226BE3F5D0F6B7AD3547A9,SHA256=4902F7D7E6EFFB39CC3CB89547E2B9703ADCB21A36BD55358E1DAEFADF7D310C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623764Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:58.032{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51604-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623763Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:01.204{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FACDFED2DBE23364A8D0EDAA8D9D6C6B,SHA256=2BAEB6BA00412B2866763C84497ED3FB08CAA2F5931C23477026BADD39EA20DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683761Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:19:57.637{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65063-false10.0.1.12-8000- 23542300x8000000000000000683760Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:01.628{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E5D25CFDE58993870C822DE6E834C5B,SHA256=AE600424D5E4B419D070863B059D1330BABA48AA76C303233B2AAD3DDB4F05B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683759Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:01.019{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D718FC88D83A3D0181429B12B06DCB60,SHA256=F6C7CFD8E333285B5CA83781E36B441A48FAAF061D7BE5DBAC8978B745BF2B50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683763Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:02.632{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=742A245CACB10E424E2866B45229C5BC,SHA256=44AD566FD1420AC09D50594DC726575DDFD17DAFC8840C16D22E1BE219FD4B83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623768Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:02.848{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6C0CA1385A634E3C7A1F4A547D79F8B3,SHA256=5442B2CA06F7A0C25EA4527B2C50EAA90B25598D9702FB257212544D8B94F577,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623767Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:19:59.411{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51605-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000623766Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:02.207{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43762DB26B547D15C2C44D6858DE5EF4,SHA256=09B4379213707E1550695399D81C7861A2CEB36FE653843588D291BE22DFE21B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683762Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:02.273{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF9BC4DA3619C6D4059930A0449597B5,SHA256=0A3D656644DA22437C45C2E31C0CA37AAA913C41D94D6A7466D8DECA1689B61B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683766Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:03.633{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683765Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:03.633{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DB8D2FBEE825076F7B2BDF38CCEB731,SHA256=96688F3C960CFB6C78B5A8A004EA4BA0C945FD9C8BAFD027480BA945FCDF998F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623769Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:03.223{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFB4294212C04A653FE51A0E7D43B5FA,SHA256=64BB4DC3E03B591FBB2018780C2FEADE3D10ACA55D49BE81A79AF64C725648B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683764Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:03.539{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81EF058A9B30A98DA3B6F17296EE2937,SHA256=A9EAE86391CC6593DB4A5C676D954F02F4D9FFBBB3E32B4760EB3E1C19BD2E20,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683769Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:01.050{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65064-false10.0.1.12-8089- 23542300x8000000000000000683768Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:04.730{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E9E576A5461273EF38C50B574E667359,SHA256=3674577B3E55177145C58BAE5A5335B8DC43EFC5BB605D807F153CC94D3F365E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683767Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:04.652{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1302402D98F8F2AE80BFE1EEA4C1C9FF,SHA256=D938F0C5B09F20946634648DB03F22016C2132C96D4895EB51DCEA87B953FF3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623770Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:04.270{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9843917FAE561280959369563668AD17,SHA256=6AC1A45A5243A33658174362A53BACCA2A5B27CEFD4FE510EBAFE36E30D2689A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683770Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:05.668{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02F1F65FB93E3DBFB8820DE4EBF5AA1D,SHA256=CC381CC63787BB0101ACF7C899E1FF70F88B2395E43AC5FCF2AF89DF3E0C2E92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623771Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:05.270{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1218D54756BC19F6817ECE1EB8931C6,SHA256=54597983C4FB86CD79240C565429781AA0E55AC1501EA049225AED19438A6CD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683772Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:06.683{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0134867336A6760640EE665128E56DA6,SHA256=E396D3A64DE9131789CBC916F7ABD9020C629D20F5F6ACFBB363A019D9EAD241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623773Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:06.301{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F692F50EF7E2E197E1FECDD62081AEA,SHA256=341D05646DFC4AB3DE7E4F13B4A4B5DCC10CEC90E33263F4429F1695334BFC8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683771Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:06.090{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14F541BD35B2190B08569D91E83C0A90,SHA256=0488AC918DAB93E11A59AA2670E6BE0BA8339DAA5B7BDB49FBCCF16D3D694ECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623772Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:06.098{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=679CBBE77F8F4392F3D62160ACAAF176,SHA256=95F5ECC24CD34F17C9C77527E163E02A54221C35FACCB54CE8DBB3009D7E3275,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683777Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:03.677{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65066-false10.0.1.12-8000- 354300x8000000000000000683776Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:03.146{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local65065-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000683775Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:03.146{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local65065-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000683774Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:07.684{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF72289EBC0E4DDC10964CBB5F8E8E71,SHA256=D7D5D03516C82378232401FFC559779D2A04995FCB4F1B47A0C778F801435A38,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623775Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:03.941{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51606-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623774Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:07.317{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=707370E583DFAD17D5BF99AE6624DE54,SHA256=93BE387DF65FDA468F415FBAF9B1DF851982574D6AA58243A543B5DCF5BBB797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683773Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:07.136{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D4006B8A15D71A0DC2AB7BA8E4B3F22,SHA256=9458C430DC783E1AE8F18D91F1B187230DCCD39711FEAF4E344596F242D9C12D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683779Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:08.699{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9F01668D21ADC43E81F3A490FB0D329,SHA256=9D9AD9347C44C00D37F16CE2298B1DEAAE01651CD6967AA6B8C13016BA1C3319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623776Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:08.363{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD455B72009150188C4EEC6C8FAFBD87,SHA256=D3BE7D7201328E88E7F42598ECA7FFAE3BF5B349ED4DEC8A67F850F14E4EF3DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683778Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:08.402{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE650BAC997808C723447B129EEDFE36,SHA256=062AFD59F83040E7465D832ED7C04710E87906E39AD2CBEF54B8D5C7EEF67480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683780Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:09.761{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F270DAF3959553983249B208FF41FE0,SHA256=AFD4B34802AA6215DF9054BAEE900702E729028EFDCF3FCEEFEF275EFD134B1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623777Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:09.379{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAB841ACCC66262630888EA2C51F1555,SHA256=01265E3B9078DCD6023A1EB77B36BDD8173D08C03E4E7A3D38E838B474D718B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683782Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:10.777{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF5DFED7EBC831D183A86FA20784293D,SHA256=5E145E00A4A765BCB75C1E056D78D062F3E48A295EF5D2270277C65A16ADBC6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000623805Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:10.410{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623804Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:10.410{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623803Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:10.410{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623802Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:10.410{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623801Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:10.410{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623800Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:10.410{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623799Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:10.410{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623798Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:10.410{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623797Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:10.410{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623796Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:10.410{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623795Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:10.410{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623794Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:10.410{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623793Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:10.410{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623792Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:10.410{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623791Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:10.410{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623790Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:10.410{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623789Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:10.410{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623788Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:10.410{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623787Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:10.410{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623786Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:10.410{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623785Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:10.410{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623784Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:10.410{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623783Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:10.410{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623782Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:10.410{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623781Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:10.410{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623780Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:10.410{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623779Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:10.410{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000623778Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:10.379{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69B4E1BD29AFD4EFF430001269103D4B,SHA256=049843CD568F29F5D0D8E99F9E9B52F486B667B4F03A9D7CF2A13B4895D8BDC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683781Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:10.090{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5D8BCCE1775A496A03A423C597A988C,SHA256=86D0614E3D4E7855E593190B9FBE0A811793FEECDDBD7C60594DB770A6663594,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683784Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:11.793{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=468AB97C89E5E270A6BFF8F78057B831,SHA256=88067DF413E398845673956F4D27BA8B7A8058FBC94D2C9BE772FD4814F9F1D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623809Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:09.051{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51607-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623808Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:11.488{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B7BA93E1765A2B7166D13C58A672179,SHA256=A21D406C6289B89361C053CC4830D3C3C4C39E0421854EC39870F900AFF241C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683783Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:11.261{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F519B2CA533DA48149B2CF9303D7617B,SHA256=92DE587DC712AC70873111BCC0AD7C8ACBCBC4EA99D09FE582DD126387138491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623807Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:11.223{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A2A3B8127DBBF8DA897C97BCC96A53E,SHA256=3175EEA749724917787393ADD1F48C68DFE277B5C5648F179DF0B01DB8DCEC18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623806Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:11.223{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2B2AAF27064D8D5D086CF82A4288712,SHA256=1136933E68C3AB40C79847D7FC6A2FBF302E55E2BBC64E05F25B86D4B4F0440B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683786Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:12.840{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E6541B740C0E7B98BCBE5F3A90CC555,SHA256=ABBC187DEFE0BD6C8BFCA551A50CD3FCC8A7C8E697293150A60410637D704953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623810Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:12.504{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7116FA4F0AB2ED3F90494DE458A06671,SHA256=D0AEA53599FF92F8D27BF470C588B0588D39490919365671996CE04E50D423B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683785Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:12.511{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C33FEF5149178D7A9107D48CA1097917,SHA256=EFA53578C207B6FC2CEE45384FB348211A5CCEB3D649A5EF5996E47D53F54AAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000683805Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:13.918{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-013D-60B9-A252-00000000C401}2160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683804Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:13.902{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683803Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:13.902{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683802Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:13.902{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683801Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:13.902{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683800Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:13.902{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-013D-60B9-A252-00000000C401}2160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000683799Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:13.902{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-013D-60B9-A252-00000000C401}2160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000683798Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:13.903{D419E45B-013D-60B9-A252-00000000C401}2160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000683797Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:13.871{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E499A8EDE08373FDD8DC81FCC2F9745,SHA256=FBBC63FA9E0CEBCA9BBCB2E8CDE3F57BF472ED87E2874CCE1CA9A80994D861C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623811Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:13.520{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FF1B509854CCCD07CC37ECEF6B12658,SHA256=36A2961684CCC0A259B087D5F4C7D227CC6C9EA5A93134A71F46945FAB0AFB82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683796Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:13.543{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26215AC1F51B3CCDEB920B8C71824786,SHA256=3BFCA1D5DB7FFF8D308C1496277F77D6AF5FA8B792BE5C85EFDA912357D5B85A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000683795Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:13.402{D419E45B-013D-60B9-A152-00000000C401}27165576C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683794Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:13.230{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-013D-60B9-A152-00000000C401}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683793Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:13.230{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683792Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:13.230{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683791Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:13.230{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683790Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:13.230{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683789Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:13.230{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-013D-60B9-A152-00000000C401}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000683788Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:13.230{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-013D-60B9-A152-00000000C401}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000683787Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:13.215{D419E45B-013D-60B9-A152-00000000C401}2716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000683853Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.902{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-013E-60B9-A452-00000000C401}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683852Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.902{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683851Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.902{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683850Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.902{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683849Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.902{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683848Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.902{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-013E-60B9-A452-00000000C401}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000683847Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.902{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-013E-60B9-A452-00000000C401}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000683846Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.903{D419E45B-013E-60B9-A452-00000000C401}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000623812Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:14.535{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79A861991CB6AFE2C129C3A198E79277,SHA256=21D6912EC8990DCFF23647602BB10F4AF5723D39390072E356B3BB999AB3B7A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000683845Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.840{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683844Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.840{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683843Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.840{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683842Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.840{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683841Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.840{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683840Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.840{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683839Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.840{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683838Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.840{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683837Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.840{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683836Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.840{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683835Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.840{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683834Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.840{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683833Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.840{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683832Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.840{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683831Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.840{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683830Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.840{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683829Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.840{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683828Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.840{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683827Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.840{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683826Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.840{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683825Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.840{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683824Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.840{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683823Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.840{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683822Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.840{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683821Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.840{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683820Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.840{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683819Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.840{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683818Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.840{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683817Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.840{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683816Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.699{D419E45B-013E-60B9-A352-00000000C401}63566852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683815Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.418{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-013E-60B9-A352-00000000C401}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683814Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.402{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683813Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.402{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683812Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.402{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683811Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.402{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683810Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.402{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-013E-60B9-A352-00000000C401}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000683809Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.402{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-013E-60B9-A352-00000000C401}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000683808Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.403{D419E45B-013E-60B9-A352-00000000C401}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000683807Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:14.168{D419E45B-013D-60B9-A252-00000000C401}2160704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000683806Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:09.646{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65067-false10.0.1.12-8000- 23542300x8000000000000000683866Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:15.918{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA43DC3D1C21DA31746C3C5E41E47E32,SHA256=911384D491F0618634C6D147C631489C8FD57A8B80F93FD8E18D0CD114EEA527,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623813Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:15.582{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A7E6F709AE0F237AFB7484DCA4DCD0,SHA256=0D82E6679E6689D244F18B774BE32EB1FB1FE3FD4277820567DC3B1A77ABB256,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000683865Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:15.418{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-013F-60B9-A552-00000000C401}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683864Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:15.402{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683863Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:15.402{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683862Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:15.402{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683861Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:15.402{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683860Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:15.402{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-013F-60B9-A552-00000000C401}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000683859Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:15.402{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-013F-60B9-A552-00000000C401}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000683858Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:15.403{D419E45B-013F-60B9-A552-00000000C401}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000683857Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:15.152{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08BE012EA448C5DB99360C6D3C36D89F,SHA256=730E3E2B09297305CB398AFD1EBC55CA2E619B7412C47CF316FD54308869141C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683856Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:15.152{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75B3BB4F804921A17B55AABAD9CEBC99,SHA256=1CAA8CAAB8AEF50E8EF6AB610F8293433CD75A7D8CE5BD340E75DFDE081D824D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683855Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:15.152{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F266513EDEAD800EB69AE4F170A62E,SHA256=A5FB0C3ADAC6F58F801DD7B641047F5D0C3978ACE585649566EA2DD91F87FBAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000683854Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:15.136{D419E45B-013E-60B9-A452-00000000C401}18883188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000623817Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:14.098{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51608-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623816Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:16.598{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19EC887C04919FFEB3713256A94D1F27,SHA256=854916E6C28C516FE16C3ABC729193A869F55C46B98297A1954258ACA1FB5D91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000683883Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:16.777{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-0140-60B9-A752-00000000C401}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683882Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:16.777{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683881Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:16.762{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683880Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:16.762{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683879Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:16.762{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683878Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:16.762{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-0140-60B9-A752-00000000C401}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000683877Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:16.762{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-0140-60B9-A752-00000000C401}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000683876Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:16.762{D419E45B-0140-60B9-A752-00000000C401}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000683875Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:16.324{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26F021D6FCB3AEE70AEA5A668BE168FE,SHA256=4EB856D0BAEC1D05168CF970B58649B04777E012A43DD00CCF209BFECF277D36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000683874Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:16.090{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-0140-60B9-A652-00000000C401}7152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683873Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:16.090{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683872Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:16.090{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683871Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:16.090{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683870Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:16.090{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683869Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:16.090{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-0140-60B9-A652-00000000C401}7152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000683868Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:16.090{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-0140-60B9-A652-00000000C401}7152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000683867Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:16.075{D419E45B-0140-60B9-A652-00000000C401}7152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000623815Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:16.254{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9360DFA1B5C1B5608BC9CC8A0B44336,SHA256=B32CE1C181C028A7306CC3DCF92D928308BB0DC3BB6357AD6E0C5B6CD5FE3A2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623814Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:16.254{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A2A3B8127DBBF8DA897C97BCC96A53E,SHA256=3175EEA749724917787393ADD1F48C68DFE277B5C5648F179DF0B01DB8DCEC18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623818Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:17.598{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27081147D6C07BE81C29BA7F8B80C44E,SHA256=67BCE77E2BB680AF9714C88757504DD517030616DA4119F20E77931590E1C673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683885Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:17.465{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EF1809F3CB76B610F539CF6187D2897,SHA256=9597D097BA4E45D97BEF8D07F209F0AEDA8FA3B239D991BDF0BD342C4068FB3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683884Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:17.012{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A67E83BB20BA28024543FD1B2D4D0612,SHA256=0659041D9882A61785A1C85DED5A8FEC95495B3B20B420B95FEB69E8834DDC72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623819Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:18.629{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31D20A88A4D0BCEC54B8A6EE3AC3D1D5,SHA256=1294D5DA521EB0C5F31C1B25684774C75C3742833FB41CFA02FDCC5EDAB34074,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683887Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:18.606{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72512635DD1CDE9EB3F6E49F8883597B,SHA256=B5BBEA8C39DBFE8F98F83AC38C1A3E10D4659A17B7CECD3B74C9BBEC15FCEECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683886Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:18.105{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6D8F973CCA3C83D7BA16FB2B9195B5,SHA256=2420E2B94E16F7276189498EB5A6970CFDBD251C57BD83352EF1CF0662331B44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623820Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:19.645{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F05FF68793CAA748E8CC0280CD9A45E,SHA256=0B357525E094D20342715194C9625C8413C03E58289AD82C85C4365D36957CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683890Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:19.746{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C094A28D597CA3044FC17E95A3454FB6,SHA256=F08D2D48E0795920A3878C07802C6B025511BD6ECD5CCC772269826CA0653969,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683889Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:15.599{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65068-false10.0.1.12-8000- 23542300x8000000000000000683888Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:19.246{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7714E5C27EEB3652FE054D17958A0B24,SHA256=15FAB5EFE2CA94A13543E0F3161C4B99CAC8DF16CB401321A8AD6C7504A85065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623821Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:20.660{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC0A7E76EBBF064C627FD83078EAEA68,SHA256=6FEAB5D62B63EBDA52579972EF7121553504AC325A37BFB37C6607E99EC11028,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683892Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:20.808{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3D44D05CD1BAEA55A5A92EADEDDEA1F,SHA256=EE3CB5584B9CBE0AC187EAB1E49E60D6ACF577CE97EB0B7BE1464F9A3FBA4E59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683891Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:20.277{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1833798A2D6606B5CE473909ACB96C4A,SHA256=510EC1E4ABD4E549BABFD3A8E5780FFCB7213C57B8DCCBD740F150CEB7D169C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623822Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:21.676{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=219FABEAC7DA1A45F735BE6B47C2720A,SHA256=3336277A8539B800E122A0DCDBCF0CAFC747FCAE1B311E263070D0ABB80DAD40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683893Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:21.277{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=871806AFDBEB2A59C70ECC817F9316C5,SHA256=159F2D560E560CAFFE3799EEF07DCE41E0CCD695CC06E4CDEB770503704D9841,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623826Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:20.004{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51609-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623825Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:22.721{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=126BDDCEA050391C93CDF83CE73F608B,SHA256=9B645F2CF9C1FFF56E3EBD9CE2D18B84AC1C572CE19214997ADDB7ECA65EBFB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683895Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:22.490{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7371033C2110373ACAE66236225E631,SHA256=DD714466E00E1410FEA3230372EBFFA971F61078146C63C53FEF50EEED027030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623824Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:22.158{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E32B6A20D0530F287E10DE4D1846AF84,SHA256=33F92C7F0B1F79800834030AA5E33B9BEB290149B01DC714DC488CA6742ED56A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623823Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:22.158{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9360DFA1B5C1B5608BC9CC8A0B44336,SHA256=B32CE1C181C028A7306CC3DCF92D928308BB0DC3BB6357AD6E0C5B6CD5FE3A2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683894Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:22.036{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=118BB5C65BF4884C43E3E33C97D12354,SHA256=42879319B6272E5E52A52C20373D85D035205F8B043A53ACE299DE1FAF720443,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623827Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:23.736{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=143589D120308C8BBA37316A0A2E9BF4,SHA256=78BF2BC1FA6391FA5C59F6D37CA3DC39A8285C7C0127D6757EAD9CAD03357D87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683897Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:23.536{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82D88387A0F074B00B22E3FBE33C45E3,SHA256=D68B49DEE428EE7AB69AFDDD77D72F497C638494B94408C12198962369C51A27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683896Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:23.505{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F30142587161BAABB16C9E7112BF336C,SHA256=C093F03A7F60554AF3E5EC9C982357FEC7C3FDC8D0CEB0E124D51D30311D9138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623828Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:24.752{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2BC8336E4E92698AAC13BB6214EF2D0,SHA256=9B1012F1FF628653C01BD096FA35C5AAA8D62FD6E18AC17AB5EA3F02C37E8E02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683899Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:24.630{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=434BEA6A251EC3D3E56964D5B369632C,SHA256=F6AC4D260C6B5C721CD3F76ACEEC727E9AB1CAC5CABC9CCCEE4902F5CF102B10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683898Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:24.537{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75D94A403F4A2CED3198398B238AEDC5,SHA256=BBFE7B2F9AE84935D4F1405661ED729A6632E9EF8F474E7041F36BF34A696C91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683902Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:25.786{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56327651970C394B242C2132AD62FD6E,SHA256=5888B82234DDFAB11452612DC8F00FA2F16645D870719B283B0F8F3BDE456CB5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683901Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:21.623{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65069-false10.0.1.12-8000- 23542300x8000000000000000683900Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:25.552{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC74E10098AF8F8189CE20B651665FE7,SHA256=9920D9B5DAC85F45EE212DC4377E4CD5BC23D6294AA40874443ADFA5252045A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623829Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:25.752{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DC71587CF8CA422FBF82B6BB58E7590,SHA256=6BB08FE705F8D81B8155265A86017BFDCDABB36BA8D2089A3F48BA027DC476A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623830Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:26.752{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E45103327D315B7C8343665FDDC0A75F,SHA256=16F9D79359EE6E930622BDB3AB87A8CB410B947EC455BE77BA3D956AA38C1CC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683904Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:26.927{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D3B2AB4BCE81AAD51ABBF7F9D2FACD1,SHA256=C2A6F00B3C00915C94D596A348CCDC0143912340D013701FD601F3B21FA47BC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683903Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:26.583{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=612637540FAAD6CE0F414A7A8592FD68,SHA256=E3FF7BDA34641A8DCB9DD6DBB4411EC56D392B26A10B98B43EBB1F6CE4869E8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623834Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:27.768{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB346026199843A35CB019EBBD49206,SHA256=C521D1A82AF201913AF02EE91BE75967E5F01617DC7FD2DBC73821C1C220E983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683905Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:27.615{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DA3813F9759E8EF12B1A8994B7913C2,SHA256=67E4672C9AD6674027AEB9F925765F52131130848A3AB55EB3A3F09631A05770,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623833Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:25.111{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51610-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623832Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:27.268{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC0E91DF14224E26ED1F45678503D17B,SHA256=E316B919D17D308AC12D58105CF4ACDE823868C81B13866B9117226DFBF52C72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623831Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:27.268{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E32B6A20D0530F287E10DE4D1846AF84,SHA256=33F92C7F0B1F79800834030AA5E33B9BEB290149B01DC714DC488CA6742ED56A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623835Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:28.783{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=608A4BFF5B922021CA9BE957B0C33C56,SHA256=652574EF7EED5181A7EBE87C60C52C4FB3942D4D6539EC8B36481AC9A72A0DFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683907Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:28.630{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1329064CB4D7F08107EAF40B30853DC5,SHA256=BDFFDFCE86BE89D7973CAEC2E88F6194B8ACB2645526BDE92B99385AC26E7B0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683906Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:28.052{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB8DE7C7A7B25F7984A45AD908F7F035,SHA256=A4B7368B76863D331A4569E5B057E7C3EDEA900B49C430CE09B4F523AF409BAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683909Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:29.662{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E50B6FE2C611675B747A0A00C1E83713,SHA256=23A83BF88AC1EA5915F7114BEA9CC4401031BB96FDF53113F99DE4DD446A1408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623837Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:29.783{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=291BC9A671889C21081933867D67E59A,SHA256=667316E1855870712EE0C67979BEE6FBDA746002D687819AA12AB94BCE468275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623836Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:29.377{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF9eb8cc1.TMPMD5=50C3F57E9B17DAD0DB73AD4F64FDB6ED,SHA256=86D53DA9ECE564538A00B5F8E963CD8B3B67CB52F8A489C6BC9DE193528D6A7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683908Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:29.255{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A48D78187EDB27FE31926D010D295EA6,SHA256=C39793AFAF0F57E45C977ADF83BA8C4E5D86DBB5798A73585020C15D9A9FA6B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683911Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:30.880{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D346C21333D4D1B59C9C591FB3CEEF67,SHA256=BBF7774DE3AB4BF68A26404DA5F44CE818485A8DAB574477B57A1D91397CE588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623841Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:30.783{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F153AA040EDD9FA3746CAAC2F94A24C,SHA256=06187D7C8E7F69BBBEC640A95490CD0199A982375802212489BDC04AB26DF637,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683910Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:30.302{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9F7E26ECB60455334E37BC05EDDF0F8,SHA256=6B0833278C7F94397F54095D3376166A4C67D2A0F8521B00684EAA29255CB124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623840Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:30.689{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7A5F3E549E81F2F7E4A411EF7C35A0C6,SHA256=BC1CD12364BA45CD3FB9D88EBE31BBCC2E37031B35BE25B404EABC32246F8116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623839Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:30.689{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=12E96E57D53186AD2A817EC802541080,SHA256=327FA6B434E5D08363C9FAD9EB9179639708CA9DF3EB3A4D1FECB98700403416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623838Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:30.408{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC0E91DF14224E26ED1F45678503D17B,SHA256=E316B919D17D308AC12D58105CF4ACDE823868C81B13866B9117226DFBF52C72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683914Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:31.927{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98B1CD048110F60A694594BC9547628D,SHA256=A33A23C540FA5F2DC5EE63C98053A1D7C23F7B8BA3929D350F2BBED82325A1E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623842Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:31.799{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8C0E1EBE2472995EF1AC0E8B04B4AF2,SHA256=2DB8E88FE8C19A2765D66922BC9D59EC4BE1C15914E0121C48781F2DAB9358B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683913Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:27.514{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65070-false10.0.1.12-8000- 23542300x8000000000000000683912Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:31.552{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=886F0B6641DD68896DEAE510592D0B3B,SHA256=B58FB910655D48D84357E70FAB3D4098AFCB1CDCCD1B547DCC6B4AC1F1CA1E1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683917Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:32.943{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=178B610F988B53B0026F47A40DC44B65,SHA256=63A056B2B508F4039EA09B8DEA129F4178FBC6A9844B013640F9E9CB6930F7F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623843Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:32.799{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5DF9780E7E8B84E97AFA01722CE9E17,SHA256=A56A4B1029A9BC4DDFD7AAC0B2DCED36D82ADDF0A54066FE2487F902747C5CE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683916Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:32.849{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A94DA352A69E9B0CB1E3CE24E08C00D,SHA256=AA8995C11E6E04E22E3F572FE02CADCAB79CE66735D7F18F88581E06ADBE26E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683915Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:32.740{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BCA520AACFB542E3EE35EFA9A1305E83,SHA256=A68D326FD4D78DFF788D4BE568A7F3A2CADFD0770D89B52EDAE30896FEE1BD51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683918Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:33.958{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C9A6E204B43826FB615D3A814C81C20,SHA256=9EFDA62E797DAFC161217F1BCB03DBAF17E953D3EF532E8A8167D0B7447BCF25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623845Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:33.814{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DDDCFA9F0AE5CD4598152E75122390C,SHA256=BEDEB3A4B3ACE28B1DF5098E48C39D7182EDD969FBA597412096F1BF61116ED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623844Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:33.221{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75446648960073CE1914F85BA0D07E39,SHA256=E4C725502FB94ADB3E43E65380F93B4926646E1C6F671B2854389CCC206D2804,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623847Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:31.049{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51611-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623846Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:34.814{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=713D96186BA02329DEE67A4B4A179EC8,SHA256=43A352BC329924E376D53818B5E38F898421F085C22AAB823815F6ACF034601C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683920Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:34.990{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BB502EEC70237572D310B6C903758CC,SHA256=2212DB6016924F33B67EFC44524A381325323D04705BA7A578772AD2F628BE42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683919Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:34.146{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=708B2FF58673337D90DB47B2660993B0,SHA256=F8859A4AEF0717C58EB2AD731ED1DAAC7E94B3A4EB802256CC4D0F7A08C664DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623848Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:35.814{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC3F39B5879FC064EA2418B8319610A9,SHA256=9D3E59127EAB136A09EDA972B9F5C1ED74CDDEAEE906D666512EC3A6CFA7115C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683921Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:35.287{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C39948F1ACFDD968613ED5C93EDF4F0,SHA256=08675D111857B28EE710336EF4901975A017803F7A2CF263ED9F0B7FDEA96E70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623849Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:36.814{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398F9441AC0C02DCCFB7C2DB7CC2C893,SHA256=C66495272D4C0D37A2F30D3C05AA84403AF9E042946CDBC52CAA34B23538B14F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683923Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:36.427{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA002C052BA2FAE12B83220A6C7C9315,SHA256=B905C474CE74A3BDB485922DDF6EB36B0E787445AFAF5F7299FC405BF9F9634A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683922Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:36.021{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0159415D2519DA4078F29CF66316E0E,SHA256=845B4F038DC9E31E140C750F9E81DF00ACB5FD0A3AB4621D2084A55C2FCF976D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623850Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:37.814{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D90598F2CDA5EAC51F8B75B8E5D379C,SHA256=C31FC473773F41F9F9C59D134D7FCD16A509F6CC2F6C53F7F8F98AB72741D748,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683925Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:37.677{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C28CC357E9C9193EEEF0C09EDDD124D8,SHA256=C98B04697247624CBCA65F99D339E3A4275521D1919099DE373C43CF9E1701B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683924Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:37.068{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D69A79800E31CC3E435864A59BACA31E,SHA256=F46636926A69AA63CB679A371797809DD43F4351E32960B1D5891E0F9F3D6B16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623851Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:38.814{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D6E5FF1FB6F04E5FB95D55DB7C6F52E,SHA256=5D9CD32E3D93A8EB9A540525E00314C14620EAEABE5F117566C46CB397F664FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683928Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:38.927{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77DAB920C4A1E6656FAE44AD25A7EFF6,SHA256=E3FC82025C8F0E8C6D80B9DE8C8A7DD80EAE163D41F0B84AE324B780C32EFD28,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683927Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:33.483{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65071-false10.0.1.12-8000- 23542300x8000000000000000683926Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:38.115{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EF721B8B01F79928E83C2C55DF85F4B,SHA256=33C0615094C3E030046622B32734C03BA5254C9B6E79D5B3947EFF8D59E8BACC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623854Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:39.861{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70051EA525119656020439B71D5526DB,SHA256=E63EFE5FF99009F4B6999FF3D9E910F98E032F117C6D589EE79F128EF9E7DDB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683929Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:39.271{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F3A6E64633AF55A645B8C3F0E0891C,SHA256=8BB023AE01AC550B8E688F8E1D50A0DE8D13552BE4370FD6F473FB0CF8896D44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623853Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:39.221{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFDD7F42539DD6B7649D54C251B3441B,SHA256=8DC7BDFE07CB7764175ED7578C863A58E29D2EA2AE647EC07454B4017F3D28AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623852Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:39.221{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97777F40E6BF8A9D1AC034F834167208,SHA256=C10476FB38C20660231E59F532A55E96BCAE8AC791482328213601DE5E1DAB49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623855Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:40.877{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=723C40F9747FE9CB7DB3853A69DF7411,SHA256=E728381A1261D7B9C383DAD30D7967CB5605502362467F573B3930130BD90F19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683931Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:40.318{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AE655E97B614BE01DD1B4B8EC4215FF,SHA256=E68082EC9ED096D24EAF0CDF1BC8046E43DD423E62839D48C1DF46150C6B8D74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683930Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:40.287{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB13ADA0EA6EF56D228DDE9D3793A9DA,SHA256=98CB196B5CCF26E36596B4C5AEA390F25A1F45F92E1F9697F1E36013FC7B7EBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623857Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:41.892{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6CD35AB0249E203A22C4514CFFBCE36,SHA256=C4EFC5E0CB41725C355715F66EB03ECE745B79DCEEF5CBC9106204CFE8CCEC40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683933Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:41.552{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DD470005088D86BD6AEE7765F8B3479,SHA256=63BD261856C36BE7B71FCCE06CB01A0103787C3E2F499EFC537F8C002404468D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623856Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:36.991{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51612-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000683932Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:41.505{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C0CB9904E1784351CD2B13245FB54DF,SHA256=AA4972869A963D16E8A15AFB68A30F4F3AED24289025B16CBC99FB57F34E22BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623858Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:42.899{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C51557BD31031A1C646E9E042A967351,SHA256=21E9F3174325EECA25CF0546A62D60D51F8DEE5856B32699B3A5B0F0703599CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683935Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:42.621{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDF98E932C281007414F3E5220F58C6B,SHA256=E3D1FAA301E0AC03A609C4E1E924D22A094B0DBC3F870E401FD81CFFF2A63DA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683934Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:42.559{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC3AB6394952993C8C7E9DBC651A8FE8,SHA256=319B72DFC675FECE785FA3F01338C812534C7E69B2CF9F56DDD98D2B3EDE5154,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623859Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:43.946{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7718121BD24C87331F73493CA838159,SHA256=832EE587C8317759A029C4B24F6C98C6EA59CE24AB56440B8D542183CA85AA16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683937Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:43.730{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5960AF42EB9D7DA54C126DB4AE4C019F,SHA256=3A5BDC3C8BDCB64938B060F851DF1115FC568C202F126AC644B10B6967361DA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683936Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:43.574{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0B7DDD8B0EB30FF916AE116F8A96054,SHA256=8EC2AC9E2EF2AE865C55559AEA3F34EC57A7A89D9EE26C9C6472DCEB457678AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623860Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:44.961{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6BF80782EEAAAA100DB3F5CF6C051EF,SHA256=2269EA1A3A5622D1839CBCA9CFD832B7C5A9434689B73FFCFCFB90EEAEDC87EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683939Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:44.855{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDAF306763B3F87B2C37616F7C1F9A76,SHA256=52DCC02DA617DABC278659F4B5A91E282F894A131B601AE05CC612167E2214A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683938Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:44.621{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=333B85499BEF0868BCE2F1563C1CD6B6,SHA256=8CECE5E2852FF5293D786F8901468FA13F42B4BDF752FA448E23295644DFA675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623863Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:45.961{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A49166EDD8603DAD4A3BD397CA2818F9,SHA256=9FA0E5CA4D20F07DF5988B7A8FA7AD1C1BFDA5E0DFC788936D02BC7863F02410,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683941Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:45.652{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C561581A7FE850A4B0A875608E8DBE46,SHA256=C9E6A37C9819A9674DECD7E0F2F4331ABDD0C1B0C33A4F6AF88263C2A4764D46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623862Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:45.164{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B937C16219047DD638A6C8EE0884B2C,SHA256=A6E150032DF993DFAF419E6C5763A121D97B3B5671D6A020EA71AFF2B4AACE3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623861Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:45.164{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFDD7F42539DD6B7649D54C251B3441B,SHA256=8DC7BDFE07CB7764175ED7578C863A58E29D2EA2AE647EC07454B4017F3D28AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000683940Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:39.521{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65072-false10.0.1.12-8000- 23542300x8000000000000000623865Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:46.977{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BC1A6CBC324BA1F2F2EA9FC7D034F4C,SHA256=98535BD64F5188CC112546CC72AB58D75324A9A107CE8D70CFA4D5599332A776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683943Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:46.746{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3443CF51F1F8A40CA3A44B86D80B8984,SHA256=F0A4EA9BA143AD1A282039BA9ADC9B943AFA21826F4F842C73876E776A6B4B36,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623864Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:42.992{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51613-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000683942Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:46.011{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4FE8B92CA09546109E09F917CD262FB,SHA256=CEBAD48495364D76C6AE1A3D282B7C59568EB98977F1621B1CFA5E399F3ACD8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000683991Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.965{D419E45B-78A4-60B6-BF02-00000000C401}39765792C:\Windows\Explorer.EXE{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000683990Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.965{D419E45B-78A4-60B6-BF02-00000000C401}39765792C:\Windows\Explorer.EXE{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 23542300x8000000000000000683989Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.965{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67CC94C14B9572B4D7E822DC3626BFF5,SHA256=C1A27FD4C11BBE9B5A9F4FD5B06016501532E9A0D2986CB2002F198B4E297B37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000683988Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.918{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2B00-00000000C401}3008C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683987Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.918{D419E45B-752F-60B6-0D00-00000000C401}904384C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683986Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.918{D419E45B-752F-60B6-0D00-00000000C401}904384C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683985Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.918{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2B00-00000000C401}3008C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683984Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.918{D419E45B-752F-60B6-0D00-00000000C401}904384C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683983Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.918{D419E45B-752F-60B6-0D00-00000000C401}904384C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683982Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.918{D419E45B-752F-60B6-0D00-00000000C401}904384C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683981Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.902{D419E45B-752F-60B6-0D00-00000000C401}904384C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683980Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.902{D419E45B-752F-60B6-0C00-00000000C401}8484060C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683979Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.902{D419E45B-752F-60B6-0C00-00000000C401}8484060C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683978Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.902{D419E45B-752F-60B6-0C00-00000000C401}8484060C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623873Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:47.789{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-015F-60B9-145D-00000000C501}780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623872Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:47.789{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623871Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:47.789{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623870Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:47.789{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623869Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:47.789{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623868Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:47.789{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-015F-60B9-145D-00000000C501}780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623867Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:47.789{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-015F-60B9-145D-00000000C501}780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000623866Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:47.790{97C2ED32-015F-60B9-145D-00000000C501}780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000683977Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.902{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000683976Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.902{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000683975Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.902{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000683974Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.902{D419E45B-752F-60B6-0C00-00000000C401}8484060C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2B00-00000000C401}3008C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683973Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.902{D419E45B-752F-60B6-0C00-00000000C401}8484060C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683972Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.902{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2B00-00000000C401}3008C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683971Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.902{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683970Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.886{D419E45B-752F-60B6-0D00-00000000C401}9044452C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683969Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.886{D419E45B-752F-60B6-0D00-00000000C401}9044452C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683968Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.886{D419E45B-752F-60B6-0D00-00000000C401}9044452C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683967Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.886{D419E45B-752F-60B6-0D00-00000000C401}9044452C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683966Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.886{D419E45B-752F-60B6-0D00-00000000C401}9044452C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683965Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.886{D419E45B-752F-60B6-0D00-00000000C401}9044452C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683964Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.886{D419E45B-752F-60B6-0D00-00000000C401}9044452C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683963Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.886{D419E45B-752F-60B6-0D00-00000000C401}9044452C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683962Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.886{D419E45B-752F-60B6-0D00-00000000C401}9044452C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683961Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.886{D419E45B-752F-60B6-0D00-00000000C401}9044452C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683960Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.886{D419E45B-752F-60B6-0D00-00000000C401}9044452C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683959Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.886{D419E45B-752F-60B6-0D00-00000000C401}9044452C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683958Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.886{D419E45B-752F-60B6-0D00-00000000C401}9044452C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683957Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.886{D419E45B-752F-60B6-0D00-00000000C401}9044452C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683956Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.886{D419E45B-752F-60B6-0D00-00000000C401}9044452C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683955Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.886{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683954Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.886{D419E45B-752F-60B6-0D00-00000000C401}9044452C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683953Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.886{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683952Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.886{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683951Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.886{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683950Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.886{D419E45B-752F-60B6-0C00-00000000C401}8484060C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000683949Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.886{D419E45B-752F-60B6-0C00-00000000C401}8484060C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000683948Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.886{D419E45B-752F-60B6-0C00-00000000C401}8484060C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000683947Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.886{D419E45B-78A4-60B6-BF02-00000000C401}39765792C:\Windows\Explorer.EXE{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37528|C:\Windows\System32\TwinUI.dll+37448|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+10928d|C:\Windows\System32\TwinUI.dll+d211f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683946Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.886{D419E45B-78A4-60B6-BF02-00000000C401}39765792C:\Windows\Explorer.EXE{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37590|C:\Windows\System32\TwinUI.dll+37435|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+10928d|C:\Windows\System32\TwinUI.dll+d211f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000683945Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.793{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C01389EC41B618FCEA99D05C8B33E3,SHA256=66AD573C100A16578C8337816AB226663861B8DAF73EE5E17081FD3D6CE54463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000683944Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.136{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A283FC6DE3468ABEBAA3337FA9D461D3,SHA256=54D7BBC4289F34A5C7A7ABA732DE57770272FAF5802489653EA4DCB492AB79E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684024Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:48.840{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A80EB350122A20CDCF94439844B97620,SHA256=602040E553371614D0D8C268A24D43E6A4B0203752F0ED3F21DBD94632FE967A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623884Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:48.821{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B937C16219047DD638A6C8EE0884B2C,SHA256=A6E150032DF993DFAF419E6C5763A121D97B3B5671D6A020EA71AFF2B4AACE3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000623883Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:48.586{97C2ED32-0160-60B9-155D-00000000C501}51005696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623882Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:48.461{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0160-60B9-155D-00000000C501}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623881Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:48.461{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623880Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:48.461{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623879Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:48.461{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623878Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:48.461{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623877Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:48.461{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-0160-60B9-155D-00000000C501}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623876Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:48.461{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0160-60B9-155D-00000000C501}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000623875Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:48.462{97C2ED32-0160-60B9-155D-00000000C501}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000623874Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:48.008{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=946B9D81D9AB105C7B46DDACB18060EB,SHA256=A529BEB16EC5A4B95A9A4C7E88AFB7E9A63496B79AC003CE8322865BA82800D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684023Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:48.652{D419E45B-78A4-60B6-BF02-00000000C401}39766360C:\Windows\Explorer.EXE{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684022Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:48.652{D419E45B-78A4-60B6-BF02-00000000C401}39766360C:\Windows\Explorer.EXE{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000684021Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:48.308{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=410010CECF3279F67224E781B6B1B226,SHA256=0A65AD73A42706370187CB2639AE1EEC2CB9504B45F4FD5F8ECE96DE466B8E84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684020Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:48.168{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C91DF5E484E899AFD376194F087E77BC,SHA256=D4246945A523ABCF29E802E99E9BBF14C2AFE9AD13EAB18933D334A668840C36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684019Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:48.136{D419E45B-752F-60B6-1400-00000000C401}11002844C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684018Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:48.105{D419E45B-78A3-60B6-B502-00000000C401}46766988C:\Windows\System32\RuntimeBroker.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000684017Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:48.105{D419E45B-78A3-60B6-B502-00000000C401}46766988C:\Windows\System32\RuntimeBroker.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000684016Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:48.105{D419E45B-78A4-60B6-BF02-00000000C401}39765792C:\Windows\Explorer.EXE{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000684015Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:48.105{D419E45B-78A4-60B6-BF02-00000000C401}39765792C:\Windows\Explorer.EXE{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000684014Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:48.105{D419E45B-78A4-60B6-BF02-00000000C401}39761968C:\Windows\Explorer.EXE{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684013Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:48.105{D419E45B-78A4-60B6-BF02-00000000C401}39761968C:\Windows\Explorer.EXE{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684012Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:48.105{D419E45B-78A4-60B6-BF02-00000000C401}39761968C:\Windows\Explorer.EXE{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684011Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:48.105{D419E45B-78A4-60B6-BF02-00000000C401}39761968C:\Windows\Explorer.EXE{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684010Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:48.105{D419E45B-78A4-60B6-BF02-00000000C401}39761968C:\Windows\Explorer.EXE{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684009Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:48.105{D419E45B-78A4-60B6-BF02-00000000C401}39761968C:\Windows\Explorer.EXE{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684008Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:48.090{D419E45B-78A4-60B6-BF02-00000000C401}39766016C:\Windows\Explorer.EXE{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684007Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:48.090{D419E45B-78A4-60B6-BF02-00000000C401}39766016C:\Windows\Explorer.EXE{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684006Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:48.090{D419E45B-78A4-60B6-BF02-00000000C401}39761968C:\Windows\Explorer.EXE{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684005Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:48.090{D419E45B-78A4-60B6-BF02-00000000C401}39761968C:\Windows\Explorer.EXE{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684004Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:48.090{D419E45B-78A4-60B6-BF02-00000000C401}39761968C:\Windows\Explorer.EXE{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684003Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:48.090{D419E45B-78A4-60B6-BF02-00000000C401}39761968C:\Windows\Explorer.EXE{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684002Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:48.090{D419E45B-78A4-60B6-BF02-00000000C401}39766016C:\Windows\Explorer.EXE{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684001Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:48.090{D419E45B-78A4-60B6-BF02-00000000C401}39761968C:\Windows\Explorer.EXE{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684000Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:48.090{D419E45B-78A4-60B6-BF02-00000000C401}39761968C:\Windows\Explorer.EXE{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683999Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:48.059{D419E45B-78A4-60B6-BF02-00000000C401}39761968C:\Windows\Explorer.EXE{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683998Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:48.059{D419E45B-78A4-60B6-BF02-00000000C401}39761968C:\Windows\Explorer.EXE{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683997Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:48.012{D419E45B-78A4-60B6-BF02-00000000C401}39761968C:\Windows\Explorer.EXE{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683996Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:48.012{D419E45B-78A4-60B6-BF02-00000000C401}39761968C:\Windows\Explorer.EXE{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683995Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.996{D419E45B-78A4-60B6-BF02-00000000C401}39761968C:\Windows\Explorer.EXE{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683994Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.996{D419E45B-78A4-60B6-BF02-00000000C401}39761968C:\Windows\Explorer.EXE{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683993Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.996{D419E45B-78A4-60B6-BF02-00000000C401}39761968C:\Windows\Explorer.EXE{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000683992Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:47.996{D419E45B-78A4-60B6-BF02-00000000C401}39761968C:\Windows\Explorer.EXE{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000684038Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:49.855{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5990BAF47CAE0834CDE7AE9CA5677262,SHA256=37C1D468A1738329039519D8DAD00F4D88A746C833DB2D8D3466D8E56DE613F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000623902Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:49.821{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0161-60B9-175D-00000000C501}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623901Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:49.821{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623900Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:49.821{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623899Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:49.821{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623898Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:49.805{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623897Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:49.805{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-0161-60B9-175D-00000000C501}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623896Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:49.805{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0161-60B9-175D-00000000C501}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000623895Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:49.806{97C2ED32-0161-60B9-175D-00000000C501}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000623894Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:49.274{97C2ED32-0161-60B9-165D-00000000C501}61282584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623893Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:49.133{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0161-60B9-165D-00000000C501}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623892Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:49.133{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623891Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:49.133{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623890Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:49.133{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623889Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:49.133{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623888Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:49.133{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-0161-60B9-165D-00000000C501}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623887Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:49.133{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0161-60B9-165D-00000000C501}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000623886Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:49.134{97C2ED32-0161-60B9-165D-00000000C501}6128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000623885Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:49.039{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5713562D9C8BE62E6B3732D5426777AF,SHA256=2EE4CFB8EB5B184EA5FAFB609565844C5CD1D5A0048B4512D5E7BF286811DF6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684037Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:49.699{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684036Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:49.699{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684035Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:49.699{D419E45B-78A4-60B6-BF02-00000000C401}39761968C:\Windows\Explorer.EXE{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684034Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:49.699{D419E45B-78A4-60B6-BF02-00000000C401}39761968C:\Windows\Explorer.EXE{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684033Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:49.683{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684032Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:49.683{D419E45B-78A4-60B6-BF02-00000000C401}39766016C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684031Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:49.683{D419E45B-78A4-60B6-BF02-00000000C401}39766016C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684030Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:49.683{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684029Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:49.683{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684028Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:49.683{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684027Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:49.683{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000684026Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:45.522{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65073-false10.0.1.12-8000- 23542300x8000000000000000684025Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:49.558{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8B49A04C809F80B882209E8804968F8,SHA256=675B48F2E9E3653E50BC8177AC677F3D8CBF105957155FD58C4CD8B7088A5731,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000623912Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:50.383{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0162-60B9-185D-00000000C501}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623911Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:50.383{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623910Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:50.383{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623909Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:50.383{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623908Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:50.383{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623907Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:50.383{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-0162-60B9-185D-00000000C501}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623906Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:50.383{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0162-60B9-185D-00000000C501}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000623905Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:50.385{97C2ED32-0162-60B9-185D-00000000C501}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000623904Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:50.133{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B96E3C26F16EAC9C51E137C27EDFFF8,SHA256=5B8135D34CE48F67A48DBE5179367C68525DBD2035A0EF5723D0149E9F268A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623903Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:50.071{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC048726BF29F9CFD04D42AE6E51FF56,SHA256=7DBBE25FF529D3ADF38EB24AED18622D6E0648DB8DE3354AB0DA33B1840F0732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684040Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:51.058{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48A2CD1138C5A43DE6281029C5EAF71D,SHA256=E3A271D954FF9FF2354297FA2F16FF4065D1469302DA69A5299EB6DD5C0F052E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684039Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:51.058{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE7FEF2D116F20F63DA6A7B8318EB618,SHA256=8766F56758D38B7F88F549E202D80AAC010AC34A6D90A19A6EEE98A361A77DF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000623932Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:51.867{97C2ED32-0163-60B9-1A5D-00000000C501}61246048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623931Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:51.727{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0163-60B9-1A5D-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623930Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:51.727{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623929Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:51.727{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623928Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:51.727{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623927Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:51.727{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623926Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:51.727{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-0163-60B9-1A5D-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623925Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:51.727{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0163-60B9-1A5D-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000623924Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:51.728{97C2ED32-0163-60B9-1A5D-00000000C501}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000623923Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:51.493{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3589AC4DD5692EA4D5B46980A8FFCB99,SHA256=B3FC2EB3B3EF70170E0CF03ED62DE06B0B3D921825F1DCB8D890AE6FD012574B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000623922Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:51.196{97C2ED32-0163-60B9-195D-00000000C501}9964552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000623921Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:51.086{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74CABC66F5B5318F53184228329A4615,SHA256=474A7F7D26762993493598A6CC3B31A8B88D19058922613E3A20894386C9A376,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000623920Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:51.055{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F379-60B8-2B5B-00000000C501}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623919Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:51.055{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623918Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:51.055{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623917Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:51.055{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623916Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:51.055{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-F379-60B8-2B5B-00000000C501}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623915Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:51.055{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623914Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:51.055{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F379-60B8-2B5B-00000000C501}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000623913Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:51.056{97C2ED32-0163-60B9-195D-00000000C501}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000684047Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:52.465{D419E45B-753F-60B6-2B00-00000000C401}30085188C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000684046Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:52.465{D419E45B-753F-60B6-2B00-00000000C401}30085188C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 23542300x8000000000000000684045Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:52.105{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14269028B72E392227D62203B39F0A56,SHA256=ACD3D44DCBAA8038B3177B057015ED082B7B45728EF0D4050E0D3B9F1F6DF182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623935Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:52.743{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=561858E786FCF6685297310BDAAE4484,SHA256=A4C93E4DAAF7DDABA105906C4618B4889269E13145EDF37C1E222922D568D16D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623934Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:48.915{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51614-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623933Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:52.102{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37488558CE715894769F48E8EBA5106D,SHA256=C737F1D5AFDBB662ADDC9F7DB45DB751E522F62B50A5602C1AC665C6E3CE0020,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684044Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:52.090{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67906634A7ADF946B0B4F966F713BA18,SHA256=8AA83BC74333556B1D3E0D1D07C17C462BCD96CC2A5E4940FAB04D863C8232BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684043Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:52.058{D419E45B-78A3-60B6-B502-00000000C401}46765056C:\Windows\System32\RuntimeBroker.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000684042Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:52.058{D419E45B-78A3-60B6-B502-00000000C401}46765056C:\Windows\System32\RuntimeBroker.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000684041Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:52.043{D419E45B-78A3-60B6-B502-00000000C401}46766988C:\Windows\System32\RuntimeBroker.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 23542300x8000000000000000684049Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:53.215{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D1F2D8BB44BF85B2F87C02898EDCA34,SHA256=9071AF5F8AF4885B08F3C1160825B475C2E71E17F37B92D7F3ED5C4EC2A5BE64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684048Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:53.105{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94B6850FEFB69FB1C2C011C6FD94311D,SHA256=8FCC9B2AF0AEFD18853FF3650E6046CEB1D69762348DAE0ED67011A67530B2D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623936Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:53.102{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE324B0DE15170E2741AF911660ED770,SHA256=B464E3E42387557B55DB37D5BFFDDEAF8F6A9A9B556A03A34D3DDAA63C52B485,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684078Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:54.996{D419E45B-752F-60B6-0C00-00000000C401}8486192C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000684077Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:54.996{D419E45B-752F-60B6-0C00-00000000C401}8486192C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000684076Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:54.996{D419E45B-752F-60B6-0C00-00000000C401}8486192C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000684075Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:54.636{D419E45B-78A4-60B6-BF02-00000000C401}39766016C:\Windows\Explorer.EXE{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b3175|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684074Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:54.636{D419E45B-78A4-60B6-BF02-00000000C401}39766016C:\Windows\Explorer.EXE{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b308e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684073Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:54.621{D419E45B-78A4-60B6-BF02-00000000C401}39766016C:\Windows\Explorer.EXE{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684072Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:54.605{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684071Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:54.605{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684070Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:54.605{D419E45B-78A4-60B6-BF02-00000000C401}39765792C:\Windows\Explorer.EXE{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000684069Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:54.605{D419E45B-78A4-60B6-BF02-00000000C401}39765792C:\Windows\Explorer.EXE{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000684068Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:54.590{D419E45B-78A3-60B6-B502-00000000C401}46765056C:\Windows\System32\RuntimeBroker.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+4f255|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000684067Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:54.590{D419E45B-78A3-60B6-B502-00000000C401}46765056C:\Windows\System32\RuntimeBroker.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+4f255|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000684066Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:54.574{D419E45B-78A3-60B6-B502-00000000C401}46765056C:\Windows\System32\RuntimeBroker.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+18280|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+4f255|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000684065Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:54.574{D419E45B-78A3-60B6-B502-00000000C401}46765056C:\Windows\System32\RuntimeBroker.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684064Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:54.574{D419E45B-78A3-60B6-B502-00000000C401}46765056C:\Windows\System32\RuntimeBroker.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684063Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:54.574{D419E45B-78A3-60B6-B502-00000000C401}46765056C:\Windows\System32\RuntimeBroker.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684062Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:54.574{D419E45B-78A3-60B6-B502-00000000C401}46763748C:\Windows\System32\RuntimeBroker.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000684061Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:54.574{D419E45B-78A3-60B6-B502-00000000C401}46766988C:\Windows\System32\RuntimeBroker.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 354300x8000000000000000684060Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:50.535{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65074-false10.0.1.12-8000- 354300x8000000000000000684059Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:50.524{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-233.attackrange.local138netbios-dgm 354300x8000000000000000684058Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:50.524{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-233.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 10341000x8000000000000000684057Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:54.543{D419E45B-78A3-60B6-B502-00000000C401}46765056C:\Windows\System32\RuntimeBroker.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+51d19|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000684056Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:54.543{D419E45B-78A3-60B6-B502-00000000C401}46765056C:\Windows\System32\RuntimeBroker.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+51d19|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000684055Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:54.543{D419E45B-78A3-60B6-B502-00000000C401}46765056C:\Windows\System32\RuntimeBroker.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+18280|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+51d19|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000684054Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:54.543{D419E45B-78A3-60B6-B502-00000000C401}46766988C:\Windows\System32\RuntimeBroker.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000684053Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:54.543{D419E45B-78A4-60B6-BF02-00000000C401}39766360C:\Windows\Explorer.EXE{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684052Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:54.543{D419E45B-78A4-60B6-BF02-00000000C401}39766360C:\Windows\Explorer.EXE{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000684051Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:54.418{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=154BC7304400FC928BE0958C865CF551,SHA256=83C93B22CABE11C506B6ECC3C4F7C2FE83EECE945FFBA73AC8BE3A501D4A7B16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684050Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:54.121{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDFD4F8250CCAAC5235955A536552465,SHA256=8968A254697D197C6974E96C5D4AB47E9B9E47A7E0CBC03492BBBBE90E024D66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623937Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:54.164{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01E16AB7B4B7C10F0D9ABF40507C93A4,SHA256=233595428740751CE7806B81ECD436CE8E722527AE926F39832AC8F0B21D1D25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623938Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:55.180{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA7DE6AC46B0AF7C3CBB165ED902515C,SHA256=23959FDFB03AAE47C98369A3291640D354D2DF2A8A797EA05FB6E5127DB7BEDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684128Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.761{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFDB4C44B47BB54215002FCF69DA7149,SHA256=3625F41D5B8664C0FC0CA0B521D6684CD1FC451E828362C4B0571E2ACCA409EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684127Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.699{D419E45B-0167-60B9-A852-00000000C401}3522476C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a47|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+53731|C:\Windows\System32\windows.storage.dll+53679|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684126Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.699{D419E45B-0167-60B9-A852-00000000C401}3522476C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419b2|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+53731|C:\Windows\System32\windows.storage.dll+53679|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684125Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.699{D419E45B-0167-60B9-A852-00000000C401}3522476C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+53731|C:\Windows\System32\windows.storage.dll+53679|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684124Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.699{D419E45B-0167-60B9-A852-00000000C401}3522476C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+141997|C:\Windows\System32\windows.storage.dll+141373|C:\Windows\System32\windows.storage.dll+1411f9|C:\Windows\System32\windows.storage.dll+53731|C:\Windows\System32\windows.storage.dll+53679|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684123Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.699{D419E45B-0167-60B9-A852-00000000C401}3522476C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+171006|C:\Windows\System32\windows.storage.dll+1412cc|C:\Windows\System32\windows.storage.dll+1410a8|C:\Windows\System32\windows.storage.dll+53731|C:\Windows\System32\windows.storage.dll+53679|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684122Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.699{D419E45B-0167-60B9-A852-00000000C401}3522476C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+170ff4|C:\Windows\System32\windows.storage.dll+1412cc|C:\Windows\System32\windows.storage.dll+1410a8|C:\Windows\System32\windows.storage.dll+53731|C:\Windows\System32\windows.storage.dll+53679|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684121Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.699{D419E45B-0167-60B9-A852-00000000C401}3522476C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+170ff4|C:\Windows\System32\windows.storage.dll+1412cc|C:\Windows\System32\windows.storage.dll+1410a8|C:\Windows\System32\windows.storage.dll+53731|C:\Windows\System32\windows.storage.dll+53679|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000684120Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.699{D419E45B-0167-60B9-A852-00000000C401}352ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF9f3c9b4.TMPMD5=F69BA1EDBBB1138958A985DFDE6A0032,SHA256=76900C581E9CB646065A6FC450F5394F652D33ECC9EE5F1A203B36083BD985A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684119Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.668{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684118Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.636{D419E45B-7530-60B6-1600-00000000C401}1268500C:\Windows\System32\svchost.exe{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684117Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.636{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684116Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.636{D419E45B-78A4-60B6-BF02-00000000C401}39766016C:\Windows\Explorer.EXE{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684115Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.636{D419E45B-78A4-60B6-BF02-00000000C401}39766016C:\Windows\Explorer.EXE{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684114Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.621{D419E45B-78A3-60B6-B902-00000000C401}5116512C:\Windows\System32\taskhostw.exe{D419E45B-0167-60B9-A952-00000000C401}7032C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684113Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.621{D419E45B-78A3-60B6-B902-00000000C401}5116512C:\Windows\System32\taskhostw.exe{D419E45B-0167-60B9-A952-00000000C401}7032C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684112Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.621{D419E45B-78A4-60B6-BF02-00000000C401}39765316C:\Windows\Explorer.EXE{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+f744|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684111Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.621{D419E45B-78A4-60B6-BF02-00000000C401}39765316C:\Windows\Explorer.EXE{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+f744|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684110Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.621{D419E45B-78A4-60B6-BF02-00000000C401}39765316C:\Windows\Explorer.EXE{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684109Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.621{D419E45B-78A4-60B6-BF02-00000000C401}39765316C:\Windows\Explorer.EXE{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684108Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.621{D419E45B-78A4-60B6-BF02-00000000C401}39765316C:\Windows\Explorer.EXE{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684107Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.621{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-0167-60B9-A952-00000000C401}7032C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684106Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.621{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-0167-60B9-A952-00000000C401}7032C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684105Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.621{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-0167-60B9-A952-00000000C401}7032C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684104Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.621{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-0167-60B9-A952-00000000C401}7032C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000684103Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.621{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CF4A9AB9C261789731C999113A6AE5C,SHA256=2CB44A97C0D3790FF74D309B10D84740835F4AAAFC9A5DCF72CB136C90B1B1A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684102Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.621{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC74B6BD053B3F56114EC45A89DF8775,SHA256=63A414E484F568F1A27693802C16361115C5F55D44FAA3421EE0AE347790CDEA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684101Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.590{D419E45B-7530-60B6-1600-00000000C401}1268500C:\Windows\System32\svchost.exe{D419E45B-0167-60B9-A952-00000000C401}7032C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684100Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.590{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-0167-60B9-A952-00000000C401}7032C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684099Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.574{D419E45B-0167-60B9-A952-00000000C401}70324392C:\Windows\system32\conhost.exe{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684098Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.574{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684097Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.574{D419E45B-78A0-60B6-AD02-00000000C401}2284924C:\Windows\system32\csrss.exe{D419E45B-0167-60B9-A952-00000000C401}7032C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684096Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.558{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684095Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.558{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684094Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.558{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684093Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.558{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684092Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.558{D419E45B-78A0-60B6-AD02-00000000C401}22846252C:\Windows\system32\csrss.exe{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684091Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.558{D419E45B-78A4-60B6-BF02-00000000C401}39766364C:\Windows\Explorer.EXE{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e61f|C:\Windows\System32\windows.storage.dll+16e295|C:\Windows\System32\windows.storage.dll+16dd86|C:\Windows\System32\windows.storage.dll+16f1f8|C:\Windows\System32\windows.storage.dll+16dbae|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\windows.storage.dll+1664ae|C:\Windows\System32\windows.storage.dll+1661a2|C:\Windows\System32\SHELL32.dll+90ee1|C:\Windows\System32\SHELL32.dll+8fd46|C:\Windows\System32\SHELL32.dll+d0c11|C:\Windows\System32\SHELL32.dll+b6e2e|C:\Windows\System32\windows.storage.dll+2d1a2|C:\Windows\System32\windows.storage.dll+2ce99|C:\Windows\System32\windows.storage.dll+2cd6f|C:\Windows\System32\SHELL32.dll+d0c97|C:\Windows\System32\SHELL32.dll+b6e2e|C:\Windows\System32\SHLWAPI.dll+e1f7 154100x8000000000000000684090Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.541{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x8000000000000000684089Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.511{D419E45B-78A3-60B6-B502-00000000C401}46765056C:\Windows\System32\RuntimeBroker.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+4cd20|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000684088Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.511{D419E45B-78A3-60B6-B502-00000000C401}46765056C:\Windows\System32\RuntimeBroker.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+4cd20|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000684087Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.511{D419E45B-78A3-60B6-B502-00000000C401}46765056C:\Windows\System32\RuntimeBroker.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+18280|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+4cd20|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000684086Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.511{D419E45B-78A3-60B6-B502-00000000C401}46766988C:\Windows\System32\RuntimeBroker.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000684085Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.511{D419E45B-78A3-60B6-B502-00000000C401}46766988C:\Windows\System32\RuntimeBroker.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000684084Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.155{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000684083Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.155{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000684082Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.155{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000684081Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.155{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000684080Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.155{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000684079Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:55.155{D419E45B-78A3-60B6-B602-00000000C401}7765696C:\Windows\System32\sihost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000623940Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:56.321{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A45EBF26F17E6D00FC7E806A46C279CA,SHA256=B306F1A9C86CDE1C36DED231082E577EED38F02E4FCC92680B2C87B08DCF64E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623939Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:56.211{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=689B02D826D2D1404F84B5E58A3F1DC3,SHA256=56B5ECBBD94430C4DB84850D1A58099B965B4A49B76674FC619155AB6114B6D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684138Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:56.871{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684137Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:56.871{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000684136Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:56.746{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5945040B60DE19B1A5FE3F4FA3CE20B,SHA256=478C0B52261C84DEBB925A5E49C774A189A7C5D578CB09E394C5BFEFA1982EF9,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000684135Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-CreatePipe2021-06-03 16:20:56.715{D419E45B-0167-60B9-A852-00000000C401}352\PSHost.132672108555415485.352.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000684134Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:56.699{D419E45B-0167-60B9-A852-00000000C401}352ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_c0yqhoai.3nr.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684133Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:56.699{D419E45B-0167-60B9-A852-00000000C401}352ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_5xrbm3lp.cqd.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684132Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:56.621{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=88298336A3685BFAC3FFBF3689B76713,SHA256=21C2995FC261E4AEB40EDB41AD689F9A97F9B963E0537C55337CE31545BFD4F7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000684131Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:56.574{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_5xrbm3lp.cqd.ps12021-06-03 16:20:56.574 10341000x8000000000000000684130Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:56.574{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000684129Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:56.168{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C16C778F252C6583A31EEAA88FDF1E3,SHA256=1510229D0D62665AC6BE763A4070062FD1184EB76DCE48F051742CC880099E0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623942Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:57.227{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40CC2371D56E7DF35675BCB1EC14CBA1,SHA256=66C43B3BA1F044FBD47A1C102FB308CF23C19D8AC720F92488BD8E34E2A95638,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684156Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:57.886{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-0169-60B9-AB52-00000000C401}5440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684155Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:57.855{D419E45B-0167-60B9-A952-00000000C401}70324392C:\Windows\system32\conhost.exe{D419E45B-0169-60B9-AB52-00000000C401}5440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684154Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:57.855{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684153Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:57.855{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684152Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:57.855{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684151Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:57.855{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684150Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:57.855{D419E45B-78A0-60B6-AD02-00000000C401}22846244C:\Windows\system32\csrss.exe{D419E45B-0169-60B9-AB52-00000000C401}5440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684149Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:57.855{D419E45B-0169-60B9-AA52-00000000C401}19602076C:\Windows\system32\cmd.exe{D419E45B-0169-60B9-AB52-00000000C401}5440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000684148Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:57.867{D419E45B-0169-60B9-AB52-00000000C401}5440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe import-module c:\temp\AzureHound.ps1C:\Users\Administrator\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D419E45B-0169-60B9-AA52-00000000C401}1960C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\AzureHound.ps1 10341000x8000000000000000684147Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:57.855{D419E45B-0167-60B9-A952-00000000C401}70324392C:\Windows\system32\conhost.exe{D419E45B-0169-60B9-AA52-00000000C401}1960C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684146Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:57.855{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684145Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:57.855{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684144Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:57.855{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684143Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:57.855{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684142Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:57.855{D419E45B-78A0-60B6-AD02-00000000C401}2284924C:\Windows\system32\csrss.exe{D419E45B-0169-60B9-AA52-00000000C401}1960C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684141Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:57.855{D419E45B-0167-60B9-A852-00000000C401}3527024C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-0169-60B9-AA52-00000000C401}1960C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11e38184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d83546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1126802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112cba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112adaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112adaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ad93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1129e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112abb9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d83546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11290363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1128f8d5(wow64) 154100x8000000000000000684140Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:57.860{D419E45B-0169-60B9-AA52-00000000C401}1960C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\AzureHound.ps1C:\Users\Administrator\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000684139Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:57.183{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3BCA2D406077173BCAFC2507769CBB9,SHA256=391ECC0908EAC7754442F3B56FEFE1D4ADA8A4259E17F6E8C38F847A407021EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623941Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:53.930{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51615-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623943Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:58.242{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDB19A5F16C5B2D173B49F2E2123CBDB,SHA256=E92173F436DA4C0E6BA3C1DB9FCEAE66D8FE49036FAF9246B9110441CDF425F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684171Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:58.980{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B799AA7E34C7589159C8CBD3CFA8A12,SHA256=F9229C4BA6599EAA5A30AD8A08856B38DE371D386277C35DC94E8C07C2EA789C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684170Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:58.980{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0FD5A307F92B7EB244A4F609514E01E9,SHA256=E8754E836C7054AFBF2894B93238F2E2BBE6C7516AD4FB1674F5141167D58CAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684169Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:58.340{D419E45B-0169-60B9-AB52-00000000C401}5440ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684168Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:58.340{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E9CA703722ACECE32FC186BFD01696A9,SHA256=0182A23E412D4BD992D293477D90A5A4CE6C6CADC63BCB732D41BA9E5ABCFF0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684167Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:58.308{D419E45B-7530-60B6-1600-00000000C401}1268500C:\Windows\System32\svchost.exe{D419E45B-0169-60B9-AB52-00000000C401}5440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684166Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:58.308{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-0169-60B9-AB52-00000000C401}5440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684165Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:58.261{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-0169-60B9-AB52-00000000C401}5440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684164Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:58.261{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-0169-60B9-AB52-00000000C401}5440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000684163Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-CreatePipe2021-06-03 16:20:58.230{D419E45B-0169-60B9-AB52-00000000C401}5440\PSHost.132672108578671454.5440.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000684162Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:58.230{D419E45B-0169-60B9-AB52-00000000C401}5440ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_qa42v0nw.ugo.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684161Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:58.230{D419E45B-0169-60B9-AB52-00000000C401}5440ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_5fpbasc4.r2e.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000684160Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:58.215{D419E45B-0169-60B9-AB52-00000000C401}5440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_5fpbasc4.r2e.ps12021-06-03 16:20:58.215 23542300x8000000000000000684159Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:58.183{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=509611532CABB7CCEAD0B1DC128E141E,SHA256=AD2D003BD5E0E5E3E3484345DBC0C19E8C94A3D305ED9112C7B5BE589705BCDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684158Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:57.996{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25E687D001498BFBF683F38B12871756,SHA256=D2798793F9E98EC92DF2593AC9C45121D4E7BA5A2888A193D5ED667677AA9D57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684157Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:57.996{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2CD48E3B102636DB981F96CFA4801B3A,SHA256=FE9F65D63605653412C4B8380574C0CF121E57C4BE22B1E269AD4F2158A7EFB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623944Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:59.244{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6606ACE8BB9E78DFBE373BF440B4DA83,SHA256=751679C7F12245AC6D32313ECED91F68244DB2EDE5ECE09D486D3C894BAC5D1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684172Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:59.199{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=122C076C3BB0AD4474C3763E328C2EDB,SHA256=4678E41F8A942963E11BBC867891D293B206087D569A80876D757912D119F4D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623946Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:00.589{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623945Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:00.245{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A3494354F7BA4E8F3293AF757AC2991,SHA256=2E930CBA7808F24472BAC5BDC20B7CA0426892C4AB103DC4BB880F693B649689,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684178Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:56.475{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65075-false10.0.1.12-8000- 13241300x8000000000000000684177Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:21:00.496{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\D370F6FF-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_D370F6FF-0000-0000-0000-100000000000.XML 13241300x8000000000000000684176Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:21:00.496{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\368F3813-04AC-4615-AECE-5D3085605520\Config SourceDWORD (0x00000001) 13241300x8000000000000000684175Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:21:00.496{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\368F3813-04AC-4615-AECE-5D3085605520\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_368F3813-04AC-4615-AECE-5D3085605520.XML 23542300x8000000000000000684174Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:00.480{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B019665C908AD2057B8E3F7D99FC2F7,SHA256=C1448DA92AC562EAE59F39B5207EDDE357785CE7232EF74D5F72F1552BCF41BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684173Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:00.480{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C3C234BCEFADE8061C76B0ED7A03E7,SHA256=DA8B0FE4F65C5E899062B8CBA6FA58E83CE0E7CBAE8E307B052170FD5FB9D1AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684186Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:57.927{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local65078-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000684185Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:57.927{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local65078-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000684184Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:57.919{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local65077-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000684183Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:57.919{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local65077-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 23542300x8000000000000000684182Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:01.621{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B7DD3A4D9545F5663211BE03E94ACAC,SHA256=323E1C8B9A6CE337B5640399823564D74A5087427EAA046FEB295EFE2E35AE32,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684181Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:57.896{D419E45B-752F-60B6-0D00-00000000C401}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local65076-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local135epmap 354300x8000000000000000684180Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:20:57.896{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local65076-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local135epmap 23542300x8000000000000000684179Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:01.496{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=705FA536CB878B6BCDBB444B69EC188B,SHA256=90F51EF09A3EA28CA6CCB53C4AA8EB321FFB42F666FC1A7009D90A17F91B4CEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623949Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:59.026{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51616-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623948Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:01.247{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4607E4BE0044A105E541C0961DBC5EC,SHA256=2554A4409B44763CB448515710F6B11721912DDC9541CB6300A08A1DA75D0708,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623947Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:01.200{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40125AA895C9D5ABF1467FC8189AD3A3,SHA256=8187EFC2050A3B7AA9EAEEC101E5DB9D2F6CE47C0E3B11F609D4A7EF385BA4FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684188Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:02.766{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31A1E12F03988AEC00FF2A7D75A6953C,SHA256=DF7141A9264E238D6CC016B7D7E2A17633B6876C072C8458A465764F0A3AED45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684187Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:02.766{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE22E65CB006C8BB5ABF20CCEF9145F4,SHA256=AC0281E4CAD5CA9C3EE9EE5E0BC6FC18B0A393D5F2FB82D894B13748E467C92C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623952Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:02.857{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5A05F21EE99C33E34C1B0B72EDCA6008,SHA256=B2483E689C9109F4769705767D2DFE75E144B214F57BC6686668423846CF59CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623951Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:20:59.433{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51617-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000623950Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:02.247{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68A5B42912088EFA11135CD23720C5ED,SHA256=8C66C6F6899C9853943B149771911D5AEB3592C30CEB1AD838B8CEA4AB5BE0B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684191Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:03.881{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1020F2C5E4FA58CEB6294621C1D79187,SHA256=63707F8040AFAA692BCF376033786859679A142614950A6F102601C72E560083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684190Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:03.784{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7CAB90263DF5B39397BE77CB9AA09AA,SHA256=585A4596E85D77326E2713EFD3176B540C72DFC190F3BBDDA2F4AD0DB0EEBF3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623953Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:03.278{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F1F90B64DB5F7634CF049E46A05FD09,SHA256=CCE7AA04C0EF515C02EA197BF0CE210E0B168071987314ED697B658B2281BD80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684189Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:03.659{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684192Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:04.797{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2625FBA168BA1A87951E883273D2BBA,SHA256=35317F9FCBD625BB2CA46FF28AB74987ED77E4603601DD26B9BE790F5828D580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623954Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:04.310{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67E5D210996F6D70656F13CE588AA31F,SHA256=366E43138B1FF6CBBFDC584726AD147E4CD4BC87B2669703E4C53ECF92043DF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684196Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:05.833{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E42AD91B790B7D8BD75AA1CF4436A016,SHA256=BB2186097EEB2F91F21BB6DCCD6076380BD9E916EA83481815F90CD1B20A9745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623955Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:05.325{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ECAB01DE7B460CA69F8DB1630182EDB,SHA256=ED5BC927C86C067DCC8014D4DA3BC739D74293493F62391B454F11E3F8951074,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684195Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:01.477{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65080-false10.0.1.12-8000- 354300x8000000000000000684194Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:01.058{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65079-false10.0.1.12-8089- 23542300x8000000000000000684193Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:05.004{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=301DBC6CDB89E15B05FB5F0ECE1C896D,SHA256=AE57196D186EAEDB57CEAEEDE032E78CE5DC6018EA74FBED93AA360B7290DA7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684198Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:06.848{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F0528107671C8EED530CAA7D79EF2BC,SHA256=DB988F81E888A4DA930159DB09710451F06207ED8D154E67D2973622FA2A7A59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623956Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:06.325{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B990C3DDC0F979467B07351D96476B64,SHA256=2391BF507FCA91B49A08610EC67431E6E4BDD97894CB8107376434F30EF605F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684197Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:06.067{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8096B6D729077F686F12356CA3FB3CA,SHA256=839FC97883DFFFB1901A93B8AAAF21C5568F3A20080D3E7DAD11C4C03A9FE0C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684202Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:07.879{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BCA37B723CBA2DB43F83A8A55F6C07D,SHA256=72D56532AAD222C4ADAC9D304E05DA88772027E987D66E3AF41B5CF05917B4C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623960Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:04.919{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51618-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623959Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:07.356{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C45C51C7A6B13BA223C4288F5C91A50F,SHA256=9FA79BABDF51F567095165F73498EBB98D898345509C4BA509F670E0B06F84C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684201Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:03.169{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local65081-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000684200Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:03.169{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local65081-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000684199Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:07.161{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E795534EFDACC684BD07EA99425C606D,SHA256=ABCC219E4147B5E19A0D7DFB150E7A30D8A4B8ACBABCB68B7BCCC141191C01EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623958Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:07.091{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD337807591EFE61B3925036F70A1FD3,SHA256=EA6F0F5C6DF76CF44E98C71B0F5222281B03EFCDEA418C0D60354AEDD04B8C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623957Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:07.091{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC71E48D4DFEB11E03D6D21F5863543B,SHA256=4950AFD77AEE55ABFD4B85E3C3C01D3DD6AEF607370D40518757BE8413D71AEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684204Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:08.895{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D84B5105846A27DA46A4ED61E5EBC5,SHA256=9D66538A60B0100567832B112490D92C50420933916F2FBED5B584B53215FF46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623961Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:08.403{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDA06C4C11675207F5FD4A88918507A3,SHA256=AEBC5005BBD9DC20C5047E08BB082997EC5F2C792870723C475C5678D7265F79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684203Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:08.364{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E11C0FE14A1D9D5E0AB88B03F3CA1F24,SHA256=10F5667E43ACFDCEE118FE9930D3F6B9CA1F7E88643F7EAF80B1FD6FECA578AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684206Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:09.926{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC2D04B4761442854B9B1A921CF93FD,SHA256=26001B15865DB56C11A2C028A07727905877968DA6662E413CAE512B63BBBEAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623962Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:09.435{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCC65EAACCBED0200F8A5A06DCBEB89F,SHA256=63CD7581CF69D2705B361CB17F09FF1A17A6390E6CF8ACF4AFC7181625A2A1BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684205Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:09.598{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE5B8EE2BBA552FC85848745CF504362,SHA256=410FA5A1E9AA103A404ADECA3BDB35FCC8015D104D5BD4DFF202E5F36AE2113F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684208Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:10.942{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9C22174F8116013D3DB1467C22575A8,SHA256=2DAA77D654EB6BC94679EA57C465D657101B3F80D70DF3A019A5D4C3110E6D14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623963Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:10.435{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2FCFFE6CC9CC053D6400C7694DDAA9A,SHA256=F44A10607C094BDB7CAD5B6443790FE45C9B7F04E0CB9D5816FA67BE21579623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684207Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:10.848{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EE00C3B24458084CD491200CC565AAB,SHA256=7E5315451911A862ADB4C2A2C63C5B985864E702F1CCB7FE5B7731D95A0C1ACA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684209Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:11.958{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7535A9390DEA9872CD08241FC9654CD6,SHA256=4144E087DAD9C23DDF7693D8FB0B5A0898EBFDB07E99DD030CA955D34F895AC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623964Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:11.435{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D9A50B48FC25A782443980AA296BDF3,SHA256=E197DFC62829000B088A97B699D73FD842B81E7D7A4C0430BAA90EEFD880A1CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623965Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:12.450{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=874E74CB4A898D42150EE2E2A9B8466E,SHA256=855E412DD5B0E44B9EF86571B88E2B896E878680A32848D2A135ED6E0631970E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684211Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:12.161{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F15B26BB73D47790487826B09C50D05A,SHA256=F9E4F4284933F8A028CB72B6B7B5D587F2F2F6591C83CA94A16DB4DDA2A24E96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684210Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:07.450{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65082-false10.0.1.12-8000- 354300x8000000000000000623969Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:10.935{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51619-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623968Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:13.450{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2CA7696982E55C8F56FD112998AC326,SHA256=862D8224C34F6143D1DD7D59281C23729D3D03B57FF6B54423CBDE1E9017301E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684229Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:13.911{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-0179-60B9-AD52-00000000C401}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684228Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:13.911{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684227Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:13.911{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684226Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:13.911{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684225Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:13.911{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684224Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:13.911{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-0179-60B9-AD52-00000000C401}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684223Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:13.911{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-0179-60B9-AD52-00000000C401}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000684222Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:13.912{D419E45B-0179-60B9-AD52-00000000C401}5688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000684221Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:13.317{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D76633D2A6CA5D2568B93825B9F38DB7,SHA256=192ADD82FF29B396513A6C2353D87D863C9D88D47C2F5B3421F87DA1C15DA33D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684220Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:13.239{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-0179-60B9-AC52-00000000C401}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684219Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:13.223{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-0179-60B9-AC52-00000000C401}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684218Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:13.223{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684217Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:13.223{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684216Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:13.223{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684215Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:13.223{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684214Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:13.223{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-0179-60B9-AC52-00000000C401}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000684213Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:13.224{D419E45B-0179-60B9-AC52-00000000C401}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000684212Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:13.004{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D71CDD1D8954A6FA7F46BD06C4E8154,SHA256=66E1F4D5A7C7EE50E94BC9BA7F326EF379429EB76BBCCF2CB295DA8BCC01C955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623967Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:13.106{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92C4BD372F7D1F1874DE7FFC9DDC0F7D,SHA256=AB4672C672293885AE277E4CAB3FD54742BD95AFDB110E8634A7189F239450AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623966Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:13.106{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD337807591EFE61B3925036F70A1FD3,SHA256=EA6F0F5C6DF76CF44E98C71B0F5222281B03EFCDEA418C0D60354AEDD04B8C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623970Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:14.466{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79C13FDFE2B3D23C3FB8F22F46C6DD9F,SHA256=95412CFFB37E0744A492AEDD93ED9977DB5C5D0B45D1EA251A91001ED686E7D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684241Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:14.739{D419E45B-017A-60B9-AE52-00000000C401}5276364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000684240Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:14.676{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AE050314CB3E18B0169BC318C88BC37,SHA256=348CB1E87C55B22D7622DB7E2D49EE5B154183D781F485D1DB1661E07AD397AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684239Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:14.583{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-017A-60B9-AE52-00000000C401}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684238Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:14.583{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684237Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:14.583{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684236Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:14.583{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684235Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:14.583{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684234Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:14.583{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-017A-60B9-AE52-00000000C401}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684233Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:14.583{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-017A-60B9-AE52-00000000C401}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000684232Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:14.583{D419E45B-017A-60B9-AE52-00000000C401}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000684231Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:14.114{D419E45B-0179-60B9-AD52-00000000C401}56885076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000684230Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:14.020{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01242A837AFAA649C6262A850F22798D,SHA256=D029D3149FD6FDD4FB7D4568962B62C7ABC79E3DD1A8E71BE4E4DA073DC2477A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623971Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:15.466{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE58AE5282C1B2DB8EF2FB5CBADBE733,SHA256=71251DA12CC30EC62EAF1638B9EFE1614B89573D57C80A5322E6556798F80A66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684260Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:15.770{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-017B-60B9-B052-00000000C401}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684259Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:15.754{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684258Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:15.754{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684257Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:15.754{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684256Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:15.754{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684255Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:15.754{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-017B-60B9-B052-00000000C401}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684254Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:15.754{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-017B-60B9-B052-00000000C401}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000684253Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:15.755{D419E45B-017B-60B9-B052-00000000C401}5860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000684252Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:15.676{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5CB686F69056CD1FA1DA317625606DC,SHA256=1320884692925A0FB323C50CB597BFE33A97177449A1CF94A44DF497922D5220,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684251Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:15.426{D419E45B-017B-60B9-AF52-00000000C401}52881412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684250Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:15.254{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-017B-60B9-AF52-00000000C401}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684249Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:15.254{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684248Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:15.254{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684247Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:15.254{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684246Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:15.254{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684245Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:15.254{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-017B-60B9-AF52-00000000C401}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684244Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:15.254{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-017B-60B9-AF52-00000000C401}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000684243Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:15.255{D419E45B-017B-60B9-AF52-00000000C401}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000684242Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:15.067{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=567AC8DF8E3B91C6858AA720DD80AAEC,SHA256=1C83FDD299CEF4C7DF514DE8F90982A7C0C5779F43C5F9A238FC2C4094FC5D92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623972Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:16.481{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=128C41EED8934584E98C0E2871B40124,SHA256=FDE1BA581AA6AA0FB9577D4DF49F6373B0C8E6AB227C9331A094F2A6D05EBA54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684279Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:16.942{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-017C-60B9-B252-00000000C401}584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684278Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:16.942{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684277Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:16.942{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684276Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:16.926{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-017C-60B9-B252-00000000C401}584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684275Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:16.942{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684274Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:16.926{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684273Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:16.926{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-017C-60B9-B252-00000000C401}584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000684272Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:16.930{D419E45B-017C-60B9-B252-00000000C401}584C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000684271Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:16.926{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=457528CEB00B7C61D249C501DDB97872,SHA256=47751F4951E1B3D1BEB0F21F2C25759E0394D761D7D2206B6FEA9F42EDC40636,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684270Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:16.442{D419E45B-017C-60B9-B152-00000000C401}52046392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684269Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:16.270{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-017C-60B9-B152-00000000C401}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684268Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:16.270{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684267Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:16.270{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684266Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:16.270{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684265Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:16.270{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684264Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:16.270{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-017C-60B9-B152-00000000C401}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684263Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:16.270{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-017C-60B9-B152-00000000C401}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000684262Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:16.271{D419E45B-017C-60B9-B152-00000000C401}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000684261Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:16.083{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C750CCD7CBE60B6E1DA64F49F2EE864,SHA256=E1A4F3C3DE2D2739F92A0DC66548111358E0B2031232E6A3A70D1BAA1A8F4E02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623973Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:17.497{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=732B1EABF7E614C617051450B19E9B5B,SHA256=597C6A75AE1B31B0A0290ECEBFC79FA77188762DD6F607538BF421237FE65545,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684281Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:13.466{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65083-false10.0.1.12-8000- 23542300x8000000000000000684280Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:17.098{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3AB8B64DC507F9469CBA341CD2F5B6B,SHA256=B5F37EB7646788B8744E55A0D98222F4E828AABE73C90A5FDD4C18A1A8045E3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623977Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:16.013{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51620-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000623976Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:18.497{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C4BF6BEFD93485688D4F0505C899FD8,SHA256=781FF894FC67E88A405EE6C8FA5B3C101B82E9259C3E6AA8C891CF8ACAE27279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684283Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:18.286{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0BCAE3D107F46C329E1FDDA5A71EAB2,SHA256=3CB937617C6CC299B33E0290CE8E8167D045C73F3FD26764005D9FCA03956D0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684282Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:18.286{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8432BEB0A5881C9434138F832B55A7FF,SHA256=B899364DED195664509A75A5E8DFD5971AC63AF0EFE499694EF771C24D97F9CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623975Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:18.169{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A2AB77A6C803E15E5CCAD8D4F2F9627,SHA256=1E478EF570734C573347BBFBBC5293895F46B01D5196809AC3B7A8799612BF13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623974Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:18.169{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92C4BD372F7D1F1874DE7FFC9DDC0F7D,SHA256=AB4672C672293885AE277E4CAB3FD54742BD95AFDB110E8634A7189F239450AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623978Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:19.513{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75D9C5ABF53F143F145E642B7A17B6F8,SHA256=466632163CDD44D8F7657D6B6C8A88AAEAFA8FA913003E6D1E098B3F949907D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684286Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:19.973{D419E45B-0167-60B9-A852-00000000C401}352ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5=7074E2130B198D20A6131AF62708F661,SHA256=CAF8DDBC3E4A445EEE252E18AAFDBD0CB0A099A2F6289EF2B8A2041377C3F977,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684285Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:19.426{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B59EC195C947445C679FFAEC872FB70F,SHA256=3EA6440E3C21EC357AD3DE714805942368854AE68AB5947EC59B649D4A6B25CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684284Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:19.286{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C24EF91B140EC8E37FE9C3B5A88934DF,SHA256=7328D6E1F4DA3E6D84C4089966DA41D89B1B0B4C5315AA5C96E68A3E7A6759EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623979Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:20.513{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B36A24DCF222828FD5A9A6EEB1B45849,SHA256=F7A5DDFD662A5F6AE11D1F6B005F37BCFBF1B08A019B9C466A60F9AC26C29A59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684288Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:20.458{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1562AF3EB91F439F09150FAB96121AAA,SHA256=1E2026714E61CC712362013098C0DFCE0AA4482172803AF93F5E0BF12FFD82AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684287Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:20.333{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6BED21523B0D3DFEC90EC3BE2568A52,SHA256=F01D794E0A9EBA86B757DD3BED702E6ABC153C2112602C9C0B88C8551B655543,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684290Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:21.567{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FD60205F4EFFDB527032819AFBEE5E6,SHA256=72CDA1FCA13E3F28A67D96A810409A56373D52A12EC5527194D30A80785F93D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684289Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:21.348{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC68812AF2DD767D5AD8260319009523,SHA256=C9B17354EA6CC10C40FA72F28F4966A84F09ACE85636FE7CA6BB1797D67D7C75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623980Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:21.560{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6B8C306DCCAF62C319F950CF7E65DF7,SHA256=65890F7962299F70C550F78DFA48CE574520F46888DDF4289A50AA82594DBAC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623981Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:22.573{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A4429F294580F9F0598DD4AA627D122,SHA256=D613F1712725071524DD75153B395CA6B5CB9239678B613C9A464B9B93783B02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684292Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:22.732{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31191772388B971D05FB2E91AE6BF03F,SHA256=E969E5810EB69172273C97C73F89FA7C4B2B7D3761104FFD64FB099488FD1788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684291Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:22.357{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0B47BB2B56FA52E601F11723C44B05B,SHA256=D36063D2C6129D3F400D4C1C8AA46109A3B251DBB9FF5A215B2CAF4C9FE60359,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623982Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:23.573{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C951AAE0FB12CDE7BF1D648684C13BA,SHA256=F586110B26A7CAB3EAD409CADE3A78F513F614225D90D47D89C4A2CDDE65DCA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684320Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:23.467{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B61CB2CDEF41B8E87F329303CC11624,SHA256=A43EB399B7EB0D420CC16B711D99FAB33EAECE41D8021F02F7AA7B659316A2BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684319Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:23.310{D419E45B-0183-60B9-B452-00000000C401}5820ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684318Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:23.310{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BDC10C7412AAD5ED8E53A6AF0067C8C6,SHA256=100FB2DA2501DFA29A1F7ACEFC08EAF2254E3BDB99C1BF62811E2FAB77A03BCF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684317Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:23.264{D419E45B-7530-60B6-1600-00000000C401}1268500C:\Windows\System32\svchost.exe{D419E45B-0183-60B9-B452-00000000C401}5820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684316Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:23.248{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-0183-60B9-B452-00000000C401}5820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684315Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:23.217{D419E45B-752D-60B6-0B00-00000000C401}6322800C:\Windows\system32\lsass.exe{D419E45B-0183-60B9-B452-00000000C401}5820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684314Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:23.217{D419E45B-752D-60B6-0B00-00000000C401}6322800C:\Windows\system32\lsass.exe{D419E45B-0183-60B9-B452-00000000C401}5820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000684313Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-CreatePipe2021-06-03 16:21:23.185{D419E45B-0183-60B9-B452-00000000C401}5820\PSHost.132672108830100006.5820.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000684312Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:23.170{D419E45B-0183-60B9-B452-00000000C401}5820ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_mqrghymi.jwb.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684311Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:23.154{D419E45B-0183-60B9-B452-00000000C401}5820ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_2k24ydqc.k0u.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000684310Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:23.123{D419E45B-0183-60B9-B452-00000000C401}5820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_2k24ydqc.k0u.ps12021-06-03 16:21:23.107 10341000x8000000000000000684309Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:23.076{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-0183-60B9-B452-00000000C401}5820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684308Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:23.014{D419E45B-0167-60B9-A952-00000000C401}70324392C:\Windows\system32\conhost.exe{D419E45B-0183-60B9-B452-00000000C401}5820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684307Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:22.998{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684306Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:22.998{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684305Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:22.998{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684304Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:22.998{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684303Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:22.998{D419E45B-78A0-60B6-AD02-00000000C401}22841824C:\Windows\system32\csrss.exe{D419E45B-0183-60B9-B452-00000000C401}5820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684302Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:22.998{D419E45B-0183-60B9-B352-00000000C401}2208432C:\Windows\system32\cmd.exe{D419E45B-0183-60B9-B452-00000000C401}5820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000684301Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:23.010{D419E45B-0183-60B9-B452-00000000C401}5820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe import-module c:\temp\AzureHound.ps1C:\Users\Administrator\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D419E45B-0183-60B9-B352-00000000C401}2208C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\AzureHound.ps1 10341000x8000000000000000684300Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:22.998{D419E45B-0167-60B9-A952-00000000C401}70324392C:\Windows\system32\conhost.exe{D419E45B-0183-60B9-B352-00000000C401}2208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684299Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:22.998{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684298Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:22.998{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684297Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:22.998{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684296Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:22.998{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684295Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:22.998{D419E45B-78A0-60B6-AD02-00000000C401}22846244C:\Windows\system32\csrss.exe{D419E45B-0183-60B9-B352-00000000C401}2208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684294Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:22.998{D419E45B-0167-60B9-A852-00000000C401}3527024C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-0183-60B9-B352-00000000C401}2208C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11e38184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d83546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1126802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112cba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112adaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112adaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ad93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1129e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112abb9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d83546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11290363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1128f8d5(wow64) 154100x8000000000000000684293Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:23.000{D419E45B-0183-60B9-B352-00000000C401}2208C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\AzureHound.ps1C:\Users\Administrator\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000623985Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:24.573{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B96B20C3751F10538170EEE669177FFE,SHA256=0C1DE45D47CF89D624839E0FB6877972FB7271203629A018E414301530AEE78F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684324Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:24.545{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED6B25E049B2223E086B2DA4A8D1CCA8,SHA256=87162DC3FDD45980852D57C26AFA6068B9226B6FB83F19F80BE2CEAAD62F8E15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623984Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:24.135{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10F1781150482504AB1B8618BBA9F9B2,SHA256=DE95003D4CD380DE1B67384507BD02EC77E2F9B45541505E02D67C948DC5C721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623983Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:24.135{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A2AB77A6C803E15E5CCAD8D4F2F9627,SHA256=1E478EF570734C573347BBFBBC5293895F46B01D5196809AC3B7A8799612BF13,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684323Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:19.490{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65084-false10.0.1.12-8000- 23542300x8000000000000000684322Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:24.092{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FB106B199A00316EFB08296941FC447,SHA256=C126EE6188FFF324C3463641421CEDC4544D2892F47C91AB44A6D269FFC2FB2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684321Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:24.092{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0F7BCE8428472799697912BE212586F1,SHA256=802EEEE8F790AAE4325E3945E38BA78AD214D307B15F1EBD73F93ED928B36B64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623986Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:25.573{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C858542F265B22553A2EFC996882416,SHA256=445BDF67D4F69AA60D39C06A77D02222A4B24324962F4F4C768703B80226C219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684326Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:25.576{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5BD7FB3A4F38F2EF85DFCB238939340,SHA256=07DF64925F06FD41AFABAD6948917005B3D4134A3185CCF7E17E35DDC94FE84C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684325Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:25.342{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE73A1509A9ECA29C013AC2E5097BA1B,SHA256=F7E6EA135B0546476730AD6E21D7E0D67FC7BF5F29106769B033DF23BAA764B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623988Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:26.588{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0095E53384AD280807B88D7A8C201BB8,SHA256=AFDA1F6A5F84AAECF10DE064341429B4CAE323AF1C80BFA73B223A3FBBAE7AE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684352Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:26.967{D419E45B-752D-60B6-0B00-00000000C401}6322800C:\Windows\system32\lsass.exe{D419E45B-0186-60B9-B652-00000000C401}680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684351Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:26.967{D419E45B-752D-60B6-0B00-00000000C401}6322800C:\Windows\system32\lsass.exe{D419E45B-0186-60B9-B652-00000000C401}680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000684350Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-CreatePipe2021-06-03 16:21:26.936{D419E45B-0186-60B9-B652-00000000C401}680\PSHost.132672108868145764.680.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000684349Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:26.920{D419E45B-0186-60B9-B652-00000000C401}680ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_p1kbyaoh.ryk.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684348Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:26.920{D419E45B-0186-60B9-B652-00000000C401}680ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_om0othhm.q4k.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000684347Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:26.873{D419E45B-0186-60B9-B652-00000000C401}680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_om0othhm.q4k.ps12021-06-03 16:21:26.873 10341000x8000000000000000684346Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:26.842{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-0186-60B9-B652-00000000C401}680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684345Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:26.810{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684344Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:26.810{D419E45B-0167-60B9-A952-00000000C401}70324392C:\Windows\system32\conhost.exe{D419E45B-0186-60B9-B652-00000000C401}680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684343Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:26.810{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684342Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:26.810{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684341Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:26.810{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684340Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:26.810{D419E45B-78A0-60B6-AD02-00000000C401}22846244C:\Windows\system32\csrss.exe{D419E45B-0186-60B9-B652-00000000C401}680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684339Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:26.810{D419E45B-0186-60B9-B552-00000000C401}49085256C:\Windows\system32\cmd.exe{D419E45B-0186-60B9-B652-00000000C401}680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000684338Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:26.814{D419E45B-0186-60B9-B652-00000000C401}680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe import-module c:\temp\AzureHound.ps1C:\Users\Administrator\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D419E45B-0186-60B9-B552-00000000C401}4908C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\AzureHound.ps1 10341000x8000000000000000684337Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:26.810{D419E45B-0167-60B9-A952-00000000C401}70324392C:\Windows\system32\conhost.exe{D419E45B-0186-60B9-B552-00000000C401}4908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684336Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:26.795{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684335Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:26.795{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684334Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:26.795{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684333Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:26.795{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684332Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:26.795{D419E45B-78A0-60B6-AD02-00000000C401}22841824C:\Windows\system32\csrss.exe{D419E45B-0186-60B9-B552-00000000C401}4908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684331Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:26.795{D419E45B-0167-60B9-A852-00000000C401}3527024C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-0186-60B9-B552-00000000C401}4908C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11e38184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d83546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1126802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112cba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112adaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112adaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ad93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1129e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112abb9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d83546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11290363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1128f8d5(wow64) 154100x8000000000000000684330Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:26.807{D419E45B-0186-60B9-B552-00000000C401}4908C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\AzureHound.ps1C:\Users\Administrator\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000684329Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:26.623{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D56EF0829797C41C2F5FDC1BD7954D5A,SHA256=C3332F1826260C920C9A868F5A735ABC436505398C76C23564A1A3AFD4063BF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000623987Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:21.979{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51621-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000684328Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:26.420{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC69A0E4CBFA08D0DC6F199634366B77,SHA256=06E982F9ABF68BC259F0AEC69E86AE3B36B18C62B21ECB75AD546BF2DB6712DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684327Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:26.045{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=143EED620C413F4C1A7C800498085E87,SHA256=3676A93D7845E588544669A684FBD4DFDDEDBAA5DF8A75A716E2DF3E4B09144C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684360Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:27.826{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=61AE6982FA3061304A60FEE3640E1D84,SHA256=9C9BACACE799E70FEBE6561905EBE0A032F8E809298364861BCFA33161EF60AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684359Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:27.701{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924538BBCC79B0138A15082B432489C0,SHA256=31C7CD0C1DD06996E848449A242B450182CBF2A0E5C7B90C1F6909CEA50BD0B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623989Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:27.604{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7709D47FD646B64A7C327CD24CE8641C,SHA256=0E28AC34C189F251BFD4E71F83C0317691B89FAD186FB7367D4CC121979E0313,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684358Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:27.482{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B968C8AFD53FA59FF7E3D6E64DCBEF92,SHA256=FBDABDE7E9712C3D4166E7B595CBBE72EFDDB9F50DCB5DEFA38A8FC7D26ED808,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684357Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:27.264{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=26C4D03A7F5E407385C8AB11B21BB3FB,SHA256=1203AA37943D8B532C10E06E1D58F62B9D68FA8781D53758452FD1E556836B62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684356Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:27.092{D419E45B-0186-60B9-B652-00000000C401}680ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684355Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:27.092{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3B9CFE2FF1741AE831B4292A17498134,SHA256=EF21D2AF38DCC9BC8CAEBF5D9B7FAB23B33285A166B03403D740F9225F1FD91C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684354Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:27.014{D419E45B-7530-60B6-1600-00000000C401}1268500C:\Windows\System32\svchost.exe{D419E45B-0186-60B9-B652-00000000C401}680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684353Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:27.014{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-0186-60B9-B652-00000000C401}680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000684362Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:28.982{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=223743CDD5B6D4B18F89993F79299FC4,SHA256=76C468EB3A66F9AE27D6462A9CA76EFC08FA32F917552C6610BD41FB1AD9C6A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684361Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:28.982{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=967ACF10D69570D45EC28B75C53CC9CD,SHA256=833AE341F535BF3ACE0B00B03CA03F0D31ED237DF93D573F5AB3541BCBE039B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623990Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:28.604{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D74A24435151BB856503A3FDC4480BE,SHA256=D482DDDCB936ADBCF402660A4C3E18983294E15BB78AA7D910AEF406DF9A513A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624013Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:29.620{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38DAD3422BF3FD1A8361D24822D3BC33,SHA256=D23BC09ECA70BC0B0E85CAFC2555AC7ABA0CD985652F0A22D2F833CDAF35CC51,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684363Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:24.539{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65085-false10.0.1.12-8000- 734700x8000000000000000624012Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:29.416{97C2ED32-0189-60B9-1B5D-00000000C501}5700C:\Windows\System32\Configure-SMRemoting.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000624011Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:29.401{97C2ED32-772F-60B6-0B00-00000000C501}628676C:\Windows\system32\lsass.exe{97C2ED32-0189-60B9-1B5D-00000000C501}5700C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624010Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:29.401{97C2ED32-772F-60B6-0B00-00000000C501}628676C:\Windows\system32\lsass.exe{97C2ED32-0189-60B9-1B5D-00000000C501}5700C:\Windows\system32\Configure-SMRemoting.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624009Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:29.401{97C2ED32-7730-60B6-1600-00000000C501}12042728C:\Windows\system32\svchost.exe{97C2ED32-0189-60B9-1B5D-00000000C501}5700C:\Windows\system32\Configure-SMRemoting.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624008Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:29.401{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-0189-60B9-1B5D-00000000C501}5700C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624007Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:29.385{97C2ED32-7730-60B6-1600-00000000C501}12042556C:\Windows\system32\svchost.exe{97C2ED32-0189-60B9-1C5D-00000000C501}5900C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624006Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:29.385{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-0189-60B9-1C5D-00000000C501}5900C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624005Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:29.385{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624004Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:29.385{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624003Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:29.385{97C2ED32-772F-60B6-0B00-00000000C501}628676C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624002Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:29.385{97C2ED32-0189-60B9-1C5D-00000000C501}5900900C:\Windows\system32\conhost.exe{97C2ED32-0189-60B9-1B5D-00000000C501}5700C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624001Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:29.370{97C2ED32-9094-60B6-BC06-00000000C501}9443580C:\Windows\system32\csrss.exe{97C2ED32-0189-60B9-1C5D-00000000C501}5900C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624000Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:29.370{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623999Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:29.370{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623998Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:29.370{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623997Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:29.370{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623996Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:29.370{97C2ED32-9094-60B6-BC06-00000000C501}9441004C:\Windows\system32\csrss.exe{97C2ED32-0189-60B9-1B5D-00000000C501}5700C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000623995Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:29.370{97C2ED32-9D3E-60B6-7A08-00000000C501}33645936C:\Windows\system32\ServerManager.exe{97C2ED32-0189-60B9-1B5D-00000000C501}5700C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1459ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1454f0|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+fa3761|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58dd95|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+559c06|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+558e46|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+70e8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+c11a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+7ce0 154100x8000000000000000623994Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:29.366{97C2ED32-0189-60B9-1B5D-00000000C501}5700C:\Windows\System32\Configure-SMRemoting.exe10.0.14393.0 (rs1_release.160715-1616)Configure-SMRemotingMicrosoft® Windows® Operating SystemMicrosoft CorporationConfigure-SMRemoting.EXE"Configure-SMRemoting.exe" -GETC:\Windows\system32\WIN-HOST-236\Administrator{97C2ED32-9095-60B6-4298-3A0000000000}0x3a98422HighMD5=59EF03A3CE316E02EC6C916E86715282,SHA256=E26FE2AD8452293B4B1E957B21371693996941A4D3D2371E7E51A35892C59418,IMPHASH=C13E4B07CF35D56AB40B9BAC4947EC02{97C2ED32-9D3E-60B6-7A08-00000000C501}3364C:\Windows\System32\ServerManager.exe"C:\Windows\system32\ServerManager.exe" 23542300x8000000000000000623993Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:29.323{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=02E8C9441BC92F9F7096E3CD9605B3F6,SHA256=147F2536FE29AF3880ABA210AADF576E992957DD73D1DFF1790CB5E7E63FC326,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623992Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:29.167{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=964280B261E953430B7470DC5557E708,SHA256=CC451DDAFE087E5BF1AD646040ECA7426B16DBD133F3767ED49845F2D6CCC48E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000623991Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:29.167{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10F1781150482504AB1B8618BBA9F9B2,SHA256=DE95003D4CD380DE1B67384507BD02EC77E2F9B45541505E02D67C948DC5C721,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624030Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:28.280{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local51623-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 354300x8000000000000000624029Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:28.280{00000000-0000-0000-0000-000000000000}5700<unknown process>-tcptruetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local51623-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 23542300x8000000000000000624028Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:30.667{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=012E35E3FAEF1648786F3F82C805121C,SHA256=B73855100B92947871B4D70D4A48F341DA669359930F24544200FB3DD9EAD4D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684365Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:30.123{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD6A060751C7AEE525CE05028F5C73AD,SHA256=D4B8BA0D64D7D6DB83F7FFF9C7C17BB25FC8C02D8D3C2017A6D8124E2D838634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684364Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:30.123{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=823A92AFC0A0ABCA9C2019A424325E11,SHA256=2232A885265E25E3D4C136212645AA751517396211777622AD9AA1257CA40C8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624027Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:30.573{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=964280B261E953430B7470DC5557E708,SHA256=CC451DDAFE087E5BF1AD646040ECA7426B16DBD133F3767ED49845F2D6CCC48E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000624026Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:30.416{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-FFA9-60B8-DA5C-00000000C501}1408C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624025Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:30.416{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-FFA9-60B8-DA5C-00000000C501}1408C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624024Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:30.416{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-FFA9-60B8-DA5C-00000000C501}1408C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624023Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:30.416{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-FFA9-60B8-DA5C-00000000C501}1408C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624022Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:30.416{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-FFA9-60B8-DA5C-00000000C501}1408C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624021Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:30.416{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-FFA9-60B8-DA5C-00000000C501}1408C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624020Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:30.416{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-FFA9-60B8-DA5C-00000000C501}1408C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624019Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:30.416{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-FFA9-60B8-DA5C-00000000C501}1408C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624018Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:30.416{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-FFA9-60B8-DA5C-00000000C501}1408C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000624017Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:30.355{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4BCBC2AC501FF51A92B6AD51CCCB6D50,SHA256=F6B9EF5E8BE87CF2D53F619849FF4A7F16D362D4DD8D632F990609D72D56B940,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624016Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:30.355{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7A5F3E549E81F2F7E4A411EF7C35A0C6,SHA256=BC1CD12364BA45CD3FB9D88EBE31BBCC2E37031B35BE25B404EABC32246F8116,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000624015Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:30.338{97C2ED32-772F-60B6-0D00-00000000C501}788716C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-1200-00000000C501}1016C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000624014Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:27.026{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51622-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624031Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:31.698{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD79C5F2844829377BA430C2A542DB51,SHA256=5197876DFF4F4EC2093E537B3A880FD3B2B4D61EEC0B2DC3EDCE03C1DC19592A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684367Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:31.185{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74C4B8A0674F75E0EA2FF0741B0036ED,SHA256=7D6364931238DBC03A913B6B317863450327F5EF2049B47A2DE72A405D49C19D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684366Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:31.170{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D710655EB45BE7919A10A396B4204D,SHA256=F5F7F945A346C5EE8FF197922670E1C0BAF413B1A343EEA3E82B8AA5BEC3C88F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624032Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:32.745{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BADE72AAE3637EA14F3614546B8BF5E5,SHA256=EF2F2061AE976984F59566BD539AACCD0FAF38749C3377916ABA34EF4BA01B30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684370Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:32.748{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F8F45E57A9DA8E0480F40C9A7CFD6A8D,SHA256=382D2AD5ED1B59F9AF282C4428736BE7C40FFBDFAC7CA18368B4EC6EC92197EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684369Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:32.279{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C376BEA0A950C25241E921641DA3709E,SHA256=5F9C7037C299B1E6A583200116BEB7FA745A916C19C097CCA44F43D0E736CE70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684368Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:32.185{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2351B515DF4F73D2662964CFC1BA5FA,SHA256=C64FE396A699AE420F85A5BCB5635DCCADB31BFA4048A03BDB8896B91EF8020C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624033Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:33.791{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7214136123F658711DE94BBFDC015FA1,SHA256=0AA5588312C7EC856E41E0BC6D91789790A2C62F53F3B224DEC8AE808BD11AE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684372Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:33.435{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D561190831711FAEA179180862ADB796,SHA256=51A39062D9A7EB597F8EF847F261D6FFD610D61D1203F5FD9F7827728104E8C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684371Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:33.185{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7138292391AB43B7F7AA55C159D28EAC,SHA256=58C9C8D151E648425B3CAA620E4D605794A612F9CAFFD30648A48B4C047A9299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624035Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:34.854{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59BE293A375A0447FFF75143AA118842,SHA256=B217EB7FACDC9DBBA6CE0F6D2C840D6B4D5676CCC349647566907A09302176C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684375Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:34.560{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FE1AAC276F572EB8681E28029AA340E,SHA256=94B0C8A7417E7495748CB1352CB587506037476B96A4C8856FAAF127F2A46380,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684374Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:30.506{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65086-false10.0.1.12-8000- 23542300x8000000000000000684373Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:34.201{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA914A99391B077A13710E54B73BFD2F,SHA256=53ACE2B50C9B86FA2D0504914BABC851B932939492D2641BDE5C4155270D0EBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624034Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:34.276{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D83F3341B7AA57CDE4121C1733D457F5,SHA256=1D3958F127E1A976FCA609C7131493A2862912A7B1AA1BF99A81C9995E4B6E25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624037Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:35.854{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65BB1B7AC2840381BA5F941EA2F2CDC1,SHA256=B8CBBA9A5C73829CF40CCBAB5D6C0A6E7EFE88CCD398B22E047D0C90E8E59ECE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684377Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:35.748{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5105DC6E1746ECD86E6296A2F7085314,SHA256=A2194BC2161CC6C19184673D69CCFA770CA856D82411E371F7C36239BC274780,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684376Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:35.217{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32EEEB828EB0BEA4B1AA8620A6F2EC79,SHA256=84434FAFEA0E358F7A8471DD77A871B1A8EF50A0EDB71ECD26E707BEE537BD91,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624036Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:32.120{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51624-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624038Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:36.885{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=361365AF766E4D4A0D4811EF3EAABE1C,SHA256=CC619EFC2DA4E0B28003DF0A854DC610A39E0A148CA75638E245C81F75DD4927,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684379Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:36.951{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7A235D807A9C3BC5CECAE93FA5CC11B,SHA256=A6D6C8CA87CC5C115D272BD09D6FFC128073C61EB1ABC764722C412A0B37E718,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684378Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:36.232{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A5C44D0BB82C8674D88DD68172C0B3,SHA256=E615FED79746742EAA9D2B1D5DD880A05D7290217E653DF1A7268427ABFD8A22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624039Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:37.917{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F25422EBA606C2A08057CA9DA25BB4C5,SHA256=7C35D22036A8192B97859C480C57991D117E7EC31F4FEC081C61F7B9286C8BA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684380Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:37.248{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=800695E7DB5F1ADE46F5E198DB615276,SHA256=463BA736D68A9636FB39FA1CB16DD8CA8392FAAABABA6DEDF9B0A18AE3C52F17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624040Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:38.932{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AF2DD038EB33FDC0DEFB5C708253D1A,SHA256=117900735429E2BAE9612FDD61721D08B58A4AFAC6DE188205C4E65B6D4265B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684409Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:38.576{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CE8508B03CA1C42EFC7CFB1436744A8,SHA256=0E1E369C81841F12C6501D8472AC744FAFF14B3178DF7E064D3A042D962178C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684408Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:38.576{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B8F6234BE24A3FAC4714CF3954C45AE9,SHA256=BC4DC292FF7BEE808116B48E4AA0A267C777C611FAA7FDBFF4D722ED13C2EFCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684407Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:38.248{D419E45B-0192-60B9-B852-00000000C401}4868ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684406Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:38.201{D419E45B-7530-60B6-1600-00000000C401}1268500C:\Windows\System32\svchost.exe{D419E45B-0192-60B9-B852-00000000C401}4868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684405Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:38.201{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-0192-60B9-B852-00000000C401}4868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684404Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:38.154{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-0192-60B9-B852-00000000C401}4868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684403Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:38.154{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-0192-60B9-B852-00000000C401}4868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000684402Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-CreatePipe2021-06-03 16:21:38.123{D419E45B-0192-60B9-B852-00000000C401}4868\PSHost.132672108980464612.4868.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000684401Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:38.107{D419E45B-0192-60B9-B852-00000000C401}4868ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_qbmk2qja.1st.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684400Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:38.107{D419E45B-0192-60B9-B852-00000000C401}4868ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_eew3yahu.q2o.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000684399Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:38.092{D419E45B-0192-60B9-B852-00000000C401}4868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_eew3yahu.q2o.ps12021-06-03 16:21:38.092 10341000x8000000000000000684398Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:38.076{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-0192-60B9-B852-00000000C401}4868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000684397Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:38.060{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED5D9A7A54E9BA939B89736907FCA00D,SHA256=A01BD96225000EF21726850247A9EB78FF74043484F1ED515B775C45A7119C14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684396Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:38.045{D419E45B-0167-60B9-A952-00000000C401}70324392C:\Windows\system32\conhost.exe{D419E45B-0192-60B9-B852-00000000C401}4868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684395Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:38.045{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684394Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:38.045{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684393Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:38.045{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684392Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:38.045{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684391Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:38.045{D419E45B-78A0-60B6-AD02-00000000C401}22841824C:\Windows\system32\csrss.exe{D419E45B-0192-60B9-B852-00000000C401}4868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684390Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:38.045{D419E45B-0192-60B9-B752-00000000C401}63525364C:\Windows\system32\cmd.exe{D419E45B-0192-60B9-B852-00000000C401}4868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000684389Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:38.046{D419E45B-0192-60B9-B852-00000000C401}4868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe import-module c:\temp\AzureHound.ps1C:\Users\Administrator\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D419E45B-0192-60B9-B752-00000000C401}6352C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\AzureHound.ps1 10341000x8000000000000000684388Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:38.029{D419E45B-0167-60B9-A952-00000000C401}70324392C:\Windows\system32\conhost.exe{D419E45B-0192-60B9-B752-00000000C401}6352C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684387Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:38.029{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684386Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:38.029{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684385Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:38.029{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684384Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:38.029{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684383Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:38.029{D419E45B-78A0-60B6-AD02-00000000C401}22846252C:\Windows\system32\csrss.exe{D419E45B-0192-60B9-B752-00000000C401}6352C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684382Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:38.029{D419E45B-0167-60B9-A852-00000000C401}3527024C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-0192-60B9-B752-00000000C401}6352C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11e38184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d83546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1126802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112cba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112adaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112adaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ad93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1129e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112abb9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d83546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11290363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1128f8d5(wow64) 154100x8000000000000000684381Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:38.039{D419E45B-0192-60B9-B752-00000000C401}6352C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\AzureHound.ps1C:\Users\Administrator\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000624041Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:39.932{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E68A067F78A48335F33F3E63D6C63E,SHA256=EDBCB0DF105DA8637ADC5E8A610A18615247E760AED099E03B0DDF404ABB00C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684413Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:35.584{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65087-false10.0.1.12-8000- 23542300x8000000000000000684412Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:39.639{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B379AAFA184B3319EC37F4251F3424F8,SHA256=8A10D80999792DBA7C3C81E468925604807B6E779310CE8334F3710D4427904D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684411Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:39.248{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F86610589A2DEB72ED5539254B6A2B3D,SHA256=C1273D9B9701401C625411E721F3DF82335C4141D2F52F15DC31037BF972E4D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684410Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:39.154{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=690797036066D1648B2161C5D2884AFA,SHA256=A028D56E8127E6D716690CCEFDA9DF8D50D99E7BFE42A80482D5BD48184CBA3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624044Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:40.948{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB0FA3EE6D64000D3B703DF173B61C8B,SHA256=F2B388993AE5535E59055E52F445A1221354269A554CA7676F9CCA19C6BC3A16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684415Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:40.654{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD1090E479CC0F7ECED1793F03C03971,SHA256=937D54D0A090C298C2C8C95DEB95E1FEADA1B60A86BE301A8105EAE79D36A97A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624043Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:40.198{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7906EC21C82AEEC0B71E2E00FEC01228,SHA256=B5D46DBC5CE4CF377766B0DB2D47E1FCFA748074A780CEEC182C916357F87BE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624042Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:40.198{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2446EE3984000EE9B739E80EBB0B690,SHA256=A4465C061E1E7D7DD43BBD209CD21839C84F14FCEF0CE9F053790310631BAD29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684414Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:40.264{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AFB0AE1B9973F26CB71004B8D9BE7EF,SHA256=D6999297B79D101A55C2365647C6DC899F5CBEBB39657B0F80437F7DD59F809B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624046Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:41.963{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2BE3C7DEABBDA54DA97C9C239E16DB7,SHA256=569603611CDA765411760C04601BED992B13D3E4271C37F8F840608825B1CC3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684417Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:41.701{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E1C781A7FBE060D4B5A9471AAFE5103,SHA256=A6CBDF30D30BFAFF5752B6CFE91F5799843F3AFA5AEDC33C3550F07CB8744064,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624045Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:38.042{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51625-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000684416Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:41.529{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F3AFAC1BF7815FC87A63BB6CB3F01DC,SHA256=096537558D089040A698109A2337D7D7F8545E52A6CF3C9B6EE7B6DBAA705121,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624047Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:42.974{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15503220B66E4FC93E24E286DC63C722,SHA256=013001B9563FCEE34A5945FDC4B3DC806F63CF4D7D1C9E8420FEE17AA5993B4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684419Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:42.899{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E17C9FAC0C4F74DB1A10BE1F12EB3AA4,SHA256=C332F829DBCC9EC7958FDDFC25ABF8442448E0D7CA3637B51EC8905A327057B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684418Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:42.743{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F9B050A566D9519E9725FFFC62EEC2C,SHA256=F15F2974ECFE87BC62E2E2D8618E17D305AC9639994C52EB2C7E064A2A39F833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684420Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:43.759{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60F897A4974A296BD9823CCB86D2A1F0,SHA256=B846DED1EB90EA107E8297D154614C95C2B5C98E4A859E5EC07A0CFC637F41EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624049Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:43.991{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0B2926883FC70EB645BC8005E635DA,SHA256=C99C66F5EB9560365E31C9CFC1DBD2C019B1F6F0240816E4F8F9DB711AAEEE7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000624048Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:43.396{97C2ED32-772F-60B6-0B00-00000000C501}628676C:\Windows\system32\lsass.exe{97C2ED32-772D-60B6-0100-00000000C501}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x8000000000000000684423Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:40.817{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal51626-false10.0.1.14win-dc-233.attackrange.local445microsoft-ds 23542300x8000000000000000684422Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:44.759{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D35AF8C58A94622BAF36484B52BEC71,SHA256=F6683D0CD2AF6B2C68CAEA16C4481B9D68ADB23AA9CAB02C692A94CA75ABB0FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684421Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:44.040{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7330119922D7DCAD6EE8F5F8D394D857,SHA256=C5B8B10FED353D6D2D6184F26F0DE0E5BB521F9F2DCE38E58DC188FFA09F37A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624050Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:44.585{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7906EC21C82AEEC0B71E2E00FEC01228,SHA256=B5D46DBC5CE4CF377766B0DB2D47E1FCFA748074A780CEEC182C916357F87BE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684426Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:41.641{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65088-false10.0.1.12-8000- 23542300x8000000000000000684425Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:45.790{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F32E9EB162EF43FE6F6C7CD8CF1DFF9,SHA256=CF03CA26C6252987C9B092337807B3452514968791608048824C68F4762513AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624052Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:42.259{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51626-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal445microsoft-ds 23542300x8000000000000000624051Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:45.022{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1DF3B966DF80916AFF5433B44F69542,SHA256=9FDB9FB6F1727371DD92172307EEBF080C04AF56C52D5DC3FBF92393CFF26B9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684424Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:45.165{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60F023D1B277229CA8FCF5CFD760FC00,SHA256=EF125DDE2BFE661FDC105C1C381422000CCBB8C6F97F265A826669B0BF916CF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684428Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:46.821{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3565A38483A0C7901A91E087578A36D,SHA256=B7741FBAC4C8407CF6A83220211053869E53C1952298A7B6CB7D14ED6746F592,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000624064Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 16:21:46.444{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000624063Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 16:21:46.444{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x09ecb9c8) 13241300x8000000000000000624062Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 16:21:46.444{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7588c-0x2a577eb0) 13241300x8000000000000000624061Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 16:21:46.444{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d75894-0x8c1be6b0) 13241300x8000000000000000624060Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 16:21:46.444{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7589c-0xede04eb0) 13241300x8000000000000000624059Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 16:21:46.444{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000624058Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 16:21:46.444{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x09ecb9c8) 13241300x8000000000000000624057Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 16:21:46.444{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7588c-0x2a577eb0) 13241300x8000000000000000624056Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 16:21:46.444{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d75894-0x8c1be6b0) 13241300x8000000000000000624055Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 16:21:46.444{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7589c-0xede04eb0) 354300x8000000000000000624054Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:43.116{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51627-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624053Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:46.022{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C0ECCB857572170031FC848892B30C,SHA256=B210D87DBBD3184E43EDA37F845432657638502692DC017C79344F2E9B5E17AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684427Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:46.290{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D9D879FD07F215D6040D1FBBE60FBCF,SHA256=F02FBCEE022E7DE4C288FB9BC911348C62D64E7C62E082FAF8F8A52992DDA952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684430Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:47.821{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD3E3C1CB314F91A0A548C3A931DDE8A,SHA256=740667B1904E231DF1E6943D8CBFF9312235422956647B8169A751CEB01686D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000624073Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:47.788{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-019B-60B9-1D5D-00000000C501}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624072Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:47.788{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624071Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:47.788{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624070Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:47.788{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624069Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:47.788{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624068Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:47.788{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-019B-60B9-1D5D-00000000C501}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624067Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:47.788{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-019B-60B9-1D5D-00000000C501}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000624066Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:47.789{97C2ED32-019B-60B9-1D5D-00000000C501}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000624065Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:47.038{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCCFCD75E53E95FC99CE15C6E234CC3C,SHA256=B625FEA3FA62074DC6BFA64A7AEFB2348FE6CF5F42616ADD40DF77DD67604FF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684429Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:47.540{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0139C9A385FA35F14F92A2E53ABDB9B,SHA256=080AF73068823F84C19292E5DF96A59DA86EA649F49D11C906E614D73C83F06D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684434Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:48.837{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CB85CF048BA21BCDF63229E47712ADA,SHA256=5C50F54E5E0A9A78A883A8419E5BFB1157F4CD02A8A55C2CB5523147D59F9043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624084Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:48.788{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F09E579F7BA1BAF4EC8B67EA8917BE20,SHA256=B3B97D10F6D2ECE62AC26BA9AA7EE22C5E3F5A61A428B6D22CC5BBB76033D6A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000624083Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:48.585{97C2ED32-019C-60B9-1E5D-00000000C501}54004340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624082Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:48.460{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F121-60B8-D85A-00000000C501}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624081Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:48.460{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624080Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:48.460{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624079Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:48.460{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624078Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:48.460{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624077Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:48.460{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-F121-60B8-D85A-00000000C501}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624076Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:48.460{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F121-60B8-D85A-00000000C501}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000624075Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:48.461{97C2ED32-019C-60B9-1E5D-00000000C501}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000624074Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:48.038{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8FF91942BA6C4D3EAC16C706F30336B,SHA256=651DE8958B4F201CCBFF987A254D139CDA39235F9BF0B26F6EE6F597E20CC40D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684433Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:48.149{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684432Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:48.149{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684431Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:48.149{D419E45B-752D-60B6-0B00-00000000C401}6322800C:\Windows\system32\lsass.exe{D419E45B-752D-60B6-0A00-00000000C401}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000684444Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:49.853{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD627C257A1930D8E56C82A0C938BE2,SHA256=1DBE778041720D829AF26EEE5293B00D67D2A0B82CC51685CBAA0D0962E4E96E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684443Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:45.588{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-233.attackrange.local65089-false72.21.81.240-80http 354300x8000000000000000684442Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:45.580{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local57377- 354300x8000000000000000684441Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:45.577{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local49669- 354300x8000000000000000684440Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:45.576{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-233.attackrange.local60952-false10.0.0.2ip-10-0-0-2.us-west-2.compute.internal53domain 354300x8000000000000000684439Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:45.575{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local65505- 354300x8000000000000000684438Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:45.575{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local65505-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domain 10341000x8000000000000000624101Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:49.804{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-019D-60B9-205D-00000000C501}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624100Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:49.804{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624099Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:49.804{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624098Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:49.804{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624097Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:49.804{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624096Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:49.804{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-019D-60B9-205D-00000000C501}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624095Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:49.804{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-019D-60B9-205D-00000000C501}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000624094Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:49.804{97C2ED32-019D-60B9-205D-00000000C501}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000624093Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:49.132{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-019D-60B9-1F5D-00000000C501}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624092Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:49.132{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624091Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:49.132{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624090Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:49.132{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624089Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:49.132{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624088Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:49.132{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-019D-60B9-1F5D-00000000C501}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624087Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:49.132{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-019D-60B9-1F5D-00000000C501}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000624086Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:49.132{97C2ED32-019D-60B9-1F5D-00000000C501}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000624085Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:49.054{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE6F534478308D4B4E015AEDDC365DB1,SHA256=4629B6D58828D454D577AB872E808E9304A9DED345C59029540250F718EDE33F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684437Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:49.165{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=678C333A9913B733D0650DD2D97EDEEE,SHA256=D9869C019F1DAC38973551A57E063A602F03F53D968062864C89DEDB3D65F393,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684436Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:49.165{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B7EBBD3DC998CB72CB8B1E6F929F1FAD,SHA256=C7FFB72177648710DD643D5F7618700FA61632FE8B38E132068FE17D59FAC106,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684435Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:49.056{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B77CE971C6C45BD70D0AA09C8194F50F,SHA256=B23B923A465A31EB65D42A25C5FC98FA8E262F3A94900356A8C90D4514BC8DCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684446Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:50.868{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=252DB2E3F0552879812507B5CA2BA5B0,SHA256=EFB8129B46C4EB14907F4C057B7223EC3FC36AA6CB72BB1345F313DEE15B3823,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000624112Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:50.569{97C2ED32-019E-60B9-215D-00000000C501}2860596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624111Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:50.429{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-019E-60B9-215D-00000000C501}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624110Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:50.429{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624109Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:50.429{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624108Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:50.429{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624107Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:50.429{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624106Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:50.429{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-019E-60B9-215D-00000000C501}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624105Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:50.429{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-019E-60B9-215D-00000000C501}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000624104Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:50.430{97C2ED32-019E-60B9-215D-00000000C501}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000624103Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:50.241{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AFE2A419ACA2A63A8DD364278BD3867,SHA256=5ACBF4C1A396366E5D1BCE83A0169AE75C4ABC5DCE5713FBE55443E90E089F41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624102Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:50.069{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBAD7B95894292AE17F006B0CB8908A0,SHA256=86D1CCCBB03EC29B4E9A03AB3E39588C2A00BC4EEDD5913D946E2A9CC2D97BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684445Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:50.321{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E48E3C4650B3D127BF913E3200CF35FB,SHA256=29259AACBDB79701BA6781A89242EDC7DF90274B1D0069594B687A9B28D4D86B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684449Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:47.423{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65090-false10.0.1.12-8000- 23542300x8000000000000000684448Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:51.915{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC9B7C3863F782DD1D2E7453329BC9CE,SHA256=2F6AF0A5D768D6473A35049202EA191737A87412BB28FE3620794EB47DCD504E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000624133Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:51.913{97C2ED32-019F-60B9-235D-00000000C501}3916968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624132Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:51.772{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-019F-60B9-235D-00000000C501}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624131Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:51.772{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624130Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:51.772{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624129Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:51.772{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624128Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:51.772{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624127Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:51.772{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-019F-60B9-235D-00000000C501}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624126Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:51.772{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-019F-60B9-235D-00000000C501}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000624125Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:51.773{97C2ED32-019F-60B9-235D-00000000C501}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000624124Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:51.460{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93895DFA7535C0F75C5212840E31D34F,SHA256=BCCC2963B4BA85005C8B39FFF415E36E2B6F1837D67BD91F53F560B710EE1D87,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624123Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:48.961{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51628-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000624122Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:51.225{97C2ED32-019F-60B9-225D-00000000C501}4600800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624121Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:51.100{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-019F-60B9-225D-00000000C501}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624120Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:51.100{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624119Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:51.100{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624118Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:51.100{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624117Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:51.100{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624116Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:51.100{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-019F-60B9-225D-00000000C501}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624115Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:51.100{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-019F-60B9-225D-00000000C501}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000624114Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:51.101{97C2ED32-019F-60B9-225D-00000000C501}4600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000624113Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:51.100{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=851F03B0ADF3F7145644F44CD9EE345C,SHA256=885518C0740403188EAEFC38C0CE7D2B3ADB4682FA72E46F3027138E38F6D834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684447Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:51.368{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A881D1F1E4D3CF889D4117EDEC662C48,SHA256=923CF7B8B9D56E0C1CC1DB842A4C73C8B96CAC2A23B248E870B37CB738AB1DBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684451Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:52.931{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23270D96FD8462E480F3F65B1F1B8AD5,SHA256=46FF3EE8FA08496D461BD90C243BF8487EC38F39CF654B4330E99564465C338C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624135Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:52.788{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB0D8E65EC0D6DD000F215D52A92D15C,SHA256=E9725A2048633653E95DE5750AD708C95E3384CD214873D9D8D58246CB9D2478,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624134Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:52.100{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A63B27B27CA408336BF48EEB9FF1BAE5,SHA256=1159857BD5EC74FFFDBC8DA578E8CEF206B146FED20DE0B7C61ADC16550CFB8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684450Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:52.603{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E9B192956F2D6C3ADFF853781E18742,SHA256=A201FBE3E607186F1AA10976853F7A4A7A9CE9285BF957EE569711A696F8C75E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624136Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:53.100{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94B13849E81B93C4AE04521642F0198E,SHA256=475F1FF9DF328D818DEBEAE74DBCFD2FB27F8FF7E33B473C1F0414FF950068B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684479Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:53.696{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BEFDFCA64CB7152A8864BEFD7B6E842D,SHA256=F30C97EA433D9164B5042690927179F9A71DA232170EFAE97110F9D662CD4C91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684478Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:53.587{D419E45B-01A1-60B9-BA52-00000000C401}580ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684477Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:53.571{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5EFF7EFBEB7C1DC5FBAAA81226EAF630,SHA256=537A4FE43E9D8886F1232BBF5FA8AA6B87F7051C2AF1DD11AA1B0EDDAA9BAF91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684476Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:53.509{D419E45B-7530-60B6-1600-00000000C401}1268500C:\Windows\System32\svchost.exe{D419E45B-01A1-60B9-BA52-00000000C401}580C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684475Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:53.509{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-01A1-60B9-BA52-00000000C401}580C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684474Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:53.478{D419E45B-752D-60B6-0B00-00000000C401}6322800C:\Windows\system32\lsass.exe{D419E45B-01A1-60B9-BA52-00000000C401}580C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684473Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:53.478{D419E45B-752D-60B6-0B00-00000000C401}6322800C:\Windows\system32\lsass.exe{D419E45B-01A1-60B9-BA52-00000000C401}580C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000684472Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-CreatePipe2021-06-03 16:21:53.446{D419E45B-01A1-60B9-BA52-00000000C401}580\PSHost.132672109133665817.580.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000684471Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:53.431{D419E45B-01A1-60B9-BA52-00000000C401}580ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_zg02dumi.fln.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684470Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:53.431{D419E45B-01A1-60B9-BA52-00000000C401}580ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_wjan0y1v.imt.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000684469Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:53.415{D419E45B-01A1-60B9-BA52-00000000C401}580C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_wjan0y1v.imt.ps12021-06-03 16:21:53.415 10341000x8000000000000000684468Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:53.400{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-01A1-60B9-BA52-00000000C401}580C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684467Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:53.368{D419E45B-0167-60B9-A952-00000000C401}70324392C:\Windows\system32\conhost.exe{D419E45B-01A1-60B9-BA52-00000000C401}580C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684466Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:53.353{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684465Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:53.353{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684464Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:53.353{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684463Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:53.353{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684462Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:53.353{D419E45B-78A0-60B6-AD02-00000000C401}22846244C:\Windows\system32\csrss.exe{D419E45B-01A1-60B9-BA52-00000000C401}580C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684461Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:53.353{D419E45B-01A1-60B9-B952-00000000C401}70406712C:\Windows\system32\cmd.exe{D419E45B-01A1-60B9-BA52-00000000C401}580C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000684460Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:53.366{D419E45B-01A1-60B9-BA52-00000000C401}580C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe import-module c:\temp\AzureHound.ps1C:\Users\Administrator\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D419E45B-01A1-60B9-B952-00000000C401}7040C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\AzureHound.ps1 10341000x8000000000000000684459Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:53.353{D419E45B-0167-60B9-A952-00000000C401}70324392C:\Windows\system32\conhost.exe{D419E45B-01A1-60B9-B952-00000000C401}7040C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684458Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:53.353{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684457Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:53.353{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684456Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:53.353{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684455Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:53.353{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684454Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:53.353{D419E45B-78A0-60B6-AD02-00000000C401}22846252C:\Windows\system32\csrss.exe{D419E45B-01A1-60B9-B952-00000000C401}7040C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684453Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:53.353{D419E45B-0167-60B9-A852-00000000C401}3527024C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-01A1-60B9-B952-00000000C401}7040C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11e38184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d83546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1126802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112cba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112adaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112adaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ad93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1129e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112abb9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d83546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11290363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1128f8d5(wow64) 154100x8000000000000000684452Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:53.357{D419E45B-01A1-60B9-B952-00000000C401}7040C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module c:\temp\AzureHound.ps1C:\Users\Administrator\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000684482Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:54.368{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8D7690AD7D5FA6D336EDD2D240725432,SHA256=E732FF77D9FF65FA9FFC01D596D477939F9BBD246A6A80AF2499BA4D44E468AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684481Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:54.149{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84717BCC1DC08A0D59C012899763A44C,SHA256=E45FDF9FD47257150A4244F1AE9D42F3A1981BB1ABDAFE323DBAEA3787588D56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684480Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:54.056{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=049FD4D10E806C75BC8B75B8704E34A9,SHA256=B0864E24D1ACC2C5E2D6675A3D3C4A406407ED810E4961C055359BDC94379930,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624137Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:54.116{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB7BE5C93DC2A00BE07BFF123399CEF5,SHA256=C2369750F727F8643B8F01F4C8E916F33E78C970DE26F62F9117FF27182AE537,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684484Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:55.650{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=084DB2C04429EDE13E5CEA8B6D7EFD6C,SHA256=DBEE2276B7707F559D4D02731661716015188AB351827067D03A517CA53A6AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684483Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:55.650{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E743358B116E048E26CC29B411F9154B,SHA256=0EC3A8A1FD88FFDBEDDD7323943A88A9191F470320110736DBE45CFADF64D26E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624138Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:55.116{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A297545CE8516D05E3B60E9D9957174E,SHA256=977EA2DF2408F876D7B172F39BB2D09AFACC78045C983FBDF5FC787A2CB54903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684486Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:56.790{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3139A43486A4B87786322289E7CB3441,SHA256=ADA174945663CE917F347020DA28782BA2D3E79A8CD0304D2D487E492F95CEBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684485Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:56.790{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74CF00204C7E6953776890F2C51C56E4,SHA256=925569252A420C68CEF8C393E9FC642B0DF5D0F686358A7D6A3C3CCB88FC71C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624140Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:56.225{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41284B0D5E9991BC9755A29781B49A2F,SHA256=CC6AB9B896335D4E28BBFE4365ADEAD4BA434AFBFA717F5C48CA4CE8728A2ECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624139Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:56.147{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9A2D8EC3DCE08890462840893CC38F2,SHA256=1592541A55274787065086FD7B9121C88F379D3C673B36F1458BDCE54ACDFEED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684489Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:57.931{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=964E1D5F603EC24E1787C7F6389FC963,SHA256=F98A641B728305A389A6A96CEB710EFF58DD4B2B9C4C663C511B3A3485AD2CF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684488Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:57.931{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6189A19FC2F1B37AD6EC7438D2A317D,SHA256=B76A0E401F01F3F82F08E5C4989B46E799B6E42F46EDAF2DADE9099E008B189A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624142Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:54.070{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51629-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624141Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:57.163{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55BA0C05AD69BA895452549D98741627,SHA256=217194B2A67AFF21C596A0C4170CC238DDD2E900E754AD87EEDDD103D945D258,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684487Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:52.423{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65091-false10.0.1.12-8000- 23542300x8000000000000000684490Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:58.946{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD65F42A011C1D1E8A4E7D106EEECED8,SHA256=29EC9823A5A6A4948BD5CFD0A636A66D60273EA65F70E7D668D367DB6FDE5AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624143Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:58.179{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A2F702DD28DED717AA6BF1E6B39037B,SHA256=98D7A8EB3BF7B611F81831E2EC29A322DF66AD4AC3BACF6FD9CB6A71CCA1DF38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684492Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:59.946{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4693EF8D9E99EE65EDB5755D071DCCDB,SHA256=98F8284A67A87388316B275E13A1381C70B989DC4A22C11727F660B567A57997,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624144Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:59.179{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C0BF06B3B4D553EE10CDD6A3276B15D,SHA256=885D0860823C63BA4BD271C3C80C1E0583264BA81B0D7F0C005217AF7E552118,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684491Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:59.087{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B909F9DD5369E986F487373271BB206A,SHA256=FCCC7DADE511BB8456B19D26DA137D56E6A728D911374AC8CF67F1F95017D1CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684493Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:00.118{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76737EF6A8ED9874A89158B80FA80D5A,SHA256=3A9A91BD5CB706A308445E070E2F4490DCB1AA8A97910D32CE46C172C51CFE7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624146Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:00.616{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624145Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:00.210{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=099D8DD2C49992CFC77696A44C2ABAE3,SHA256=46F75F0112D1C0068D61F4013221EF6AF0874605FE87893FA56E177BA134D3B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624149Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:01.817{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B92965B552DAD88686B1CED789EA323,SHA256=5A9BF18B65062D86A7E3C183E49F715087BB526A9B3E703D6248CE27FC897638,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624148Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:01.817{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE00E2311143F043DEC644C5DEAB670E,SHA256=73BF699184F083F22236E11B7B2BE503562DCFE2AF227C01A3198FA2B76506D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624147Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:01.215{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE4FC263F0ADD2729974788C7A94C6F7,SHA256=87A8B9AC0F7BDC244797D19A442FD6D8007E3B3E4BC94531484045AEDB57AA47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684495Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:01.212{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6F55DBFF6D0A7026A1734A47B77BE40,SHA256=CFBD729CFD76F2F2531C61556CA8DE75B1C27AB694E1EB2BDEF28C0267400BCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684494Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:01.040{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=581D858AC93A72F06FBFAADC7B66EB54,SHA256=AFADA83336F01997D5B57B15D8D8E1ABBADA9BE4BE259E727C3662AD59D48B65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624152Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:02.866{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=33E6617A41BBBF5EC519E2A91EFC7D34,SHA256=F7EEF2670F8D0F5705F58931D60E9D48AB3316FD0B3F69492F5F8A05604E8A0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624151Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:59.460{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51630-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000624150Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:02.241{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C941BD5062A8BB0ABDC02DACE6B8266,SHA256=11E3F02A1231F8E12016C6A61EF2DDBDF89B4B43E02007260EAC91B9091EB5A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684498Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:02.398{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CCD11E36A13F73C8F7BC149952B045A,SHA256=00EE24E987D5F5A11D8A135148515BD440108BA80F7762530C924FE135DA22EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684497Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:21:57.516{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65092-false10.0.1.12-8000- 23542300x8000000000000000684496Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:02.055{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF4B1158033A1263476FAA075E1B9391,SHA256=7F2B8E86C997B35E9423E74AB89698BD29C3FC44E3672BEBFF2DE6D5BCB2E853,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624154Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:21:59.976{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51631-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624153Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:03.272{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF600DAC9A30EF0238FB80D198E3BC68,SHA256=654163DDE920AA077EC5E5C2C397AC0E76E5FAF99478077F3DFF225743FE7372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684501Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:03.680{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684500Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:03.523{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=622E532706A4815A68618A78316C969A,SHA256=616DDF3D23DCAC9F122C4FE1E2539630F5DDB84373912D677EB634ACAD84DBF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684499Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:03.086{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93160D219A1FA6DEBEB12D988F04AF0E,SHA256=7FE0FA740D1B74978D2AF7C737CD820E521871CCDEF856EC3CAEE24689F1F5E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624155Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:04.272{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85339B84A454BBCA4D12E62759AB5DB5,SHA256=E898683B66DD0E8578F72A498BF50049E767473205D80A2787F3E5F2FCB68AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684503Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:04.665{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CBB7C0EF6DCBE06C2CEC2315E5DBB44,SHA256=4953DFDFA71509C1B416BE0121DA0A897C6BD1DB4D1768ADE527931CB58EB33F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684502Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:04.103{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30EAA50B06CC62ACC45BAAAFEBCB4268,SHA256=685A0C35563BCD2DFB1B1DA93283ADE968B23C84BDC44E477643115A748FF372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624156Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:05.273{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1745D30C85B6CC319A2F979F2FAFCDA9,SHA256=D28D2246E91C09815561B8BFB9FBFC65889A1967766BB377B5E05196ACB29C9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684506Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:05.741{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C97776EBF41193C8C35D3B58D337018,SHA256=690812208CBCBA3942DA870C60463415E640B23A697F84EB36F7FF1A546B373C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684505Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:01.078{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65093-false10.0.1.12-8089- 23542300x8000000000000000684504Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:05.116{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7460DFFB594DFF3850AF73B4281B6C55,SHA256=E8C2BCEB725D4E9EBAA5F690C4FAD7CAFFDBDF958192253E64D1A83C8AE3AF61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624157Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:06.335{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=923D13D43055AB261BB375D711F65EDD,SHA256=71D85824AFCD395F8C980594A5F82747283450C49083416A3032427E565D1D35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684508Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:06.870{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3731DB909E3FA12877FA3833EC096038,SHA256=8049EDAD33BD6D242E0D55BADAB6B3BDB3FEB3DFC4C76993FAC589D3DED8BD66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684507Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:06.136{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBC8B03F5210097A35F4B9AAC524D9A4,SHA256=24C6373781CBB28B1FB919006F8C9D16C3DA08E70E738D46854A2B131EEA457F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684513Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:07.964{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=552CCA038FBF1CAE897705D409062F61,SHA256=7EADCCA22F7E86C1EE38FF2712D4BC0EDC19214A83A65E90EF9671283D1C1E75,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684512Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:03.171{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local65095-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000684511Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:03.171{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local65095-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000684510Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:02.655{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65094-false10.0.1.12-8000- 23542300x8000000000000000684509Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:07.152{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33044423E4FBFDA2DFBA7B2139A6E3B2,SHA256=84A69ECD4C50FD8D07D48B9D66C9112F755945739D0744DCCCAAE18669125527,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624158Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:07.351{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5609EE10AB5BAF604682508F07B6A8DB,SHA256=4D8C8DC2007B983404D29ABB18A5706112F3500AD606F615CA821B77AD7B3A06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684514Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:08.183{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B36E677AEF0918308F5CD2A794AD378,SHA256=FFC84D74CF4DCCE8208CC5C19389F2134883DE4DB66DBB7698E6BDC1BBA51F57,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624162Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:05.882{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51632-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624161Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:08.351{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71B360AD34B72F5179E86CADE7C1469A,SHA256=4B7F25F80802A5C8261C9B4E7F93AD64E374F385A79C4DEC97316636ACA7AEEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624160Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:08.241{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BD56D22F2179EF359A09F77A269D1FA,SHA256=67F20D926F7E4D64D6828C3584D1A9DA2DE8E689C6CAC0A535FD1199F0D1064A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624159Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:08.241{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B92965B552DAD88686B1CED789EA323,SHA256=5A9BF18B65062D86A7E3C183E49F715087BB526A9B3E703D6248CE27FC897638,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624163Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:09.351{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F68D133B9ABEFE4161C891A9B1D0C26B,SHA256=93D43712172084D454810B9099E62459E0624A1294FC2ADA122CE18C3FC23FFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684543Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:09.620{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=195311547A4D0A453FFAF5B50A926963,SHA256=41E87214B7C2716BEC7CC3D6E27C1B064C0C7D10E0758F968D1422C0160DF4BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684542Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:09.620{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5913D714E88B46D7B6FE301624F26958,SHA256=CAA3B578366DC8E04838656BE2CB36E01433D252FA9E2FE955090A426DF232D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684541Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:09.433{D419E45B-01B1-60B9-BC52-00000000C401}1748ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684540Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:09.355{D419E45B-7530-60B6-1600-00000000C401}1268500C:\Windows\System32\svchost.exe{D419E45B-01B1-60B9-BC52-00000000C401}1748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684539Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:09.355{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-01B1-60B9-BC52-00000000C401}1748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684538Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:09.277{D419E45B-752D-60B6-0B00-00000000C401}6322800C:\Windows\system32\lsass.exe{D419E45B-01B1-60B9-BC52-00000000C401}1748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684537Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:09.277{D419E45B-752D-60B6-0B00-00000000C401}6322800C:\Windows\system32\lsass.exe{D419E45B-01B1-60B9-BC52-00000000C401}1748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000684536Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-CreatePipe2021-06-03 16:22:09.199{D419E45B-01B1-60B9-BC52-00000000C401}1748\PSHost.132672109290884014.1748.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000684535Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:09.199{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC7A24F0AB69DCB1165A77D50816E33B,SHA256=DA6067DB92AADBC3547D32434336D594CD2EC8C494D6A353F2DFB084640F4FAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684534Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:09.167{D419E45B-01B1-60B9-BC52-00000000C401}1748ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_gzcx3yyt.zgo.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684533Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:09.167{D419E45B-01B1-60B9-BC52-00000000C401}1748ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_cdqrz5dd.dil.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000684532Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:09.152{D419E45B-01B1-60B9-BC52-00000000C401}1748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_cdqrz5dd.dil.ps12021-06-03 16:22:09.152 10341000x8000000000000000684531Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:09.136{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-01B1-60B9-BC52-00000000C401}1748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684530Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:09.089{D419E45B-0167-60B9-A952-00000000C401}70324392C:\Windows\system32\conhost.exe{D419E45B-01B1-60B9-BC52-00000000C401}1748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684529Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:09.089{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684528Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:09.089{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684527Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:09.089{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684526Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:09.089{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684525Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:09.074{D419E45B-78A0-60B6-AD02-00000000C401}22846244C:\Windows\system32\csrss.exe{D419E45B-01B1-60B9-BC52-00000000C401}1748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684524Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:09.074{D419E45B-01B1-60B9-BB52-00000000C401}58845412C:\Windows\system32\cmd.exe{D419E45B-01B1-60B9-BC52-00000000C401}1748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000684523Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:09.088{D419E45B-01B1-60B9-BC52-00000000C401}1748C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe import-module C:\temp\AzureHound.ps1C:\Users\Administrator\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D419E45B-01B1-60B9-BB52-00000000C401}5884C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module C:\temp\AzureHound.ps1 10341000x8000000000000000684522Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:09.074{D419E45B-0167-60B9-A952-00000000C401}70324392C:\Windows\system32\conhost.exe{D419E45B-01B1-60B9-BB52-00000000C401}5884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684521Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:09.074{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684520Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:09.074{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684519Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:09.074{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684518Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:09.074{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684517Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:09.074{D419E45B-78A0-60B6-AD02-00000000C401}22846252C:\Windows\system32\csrss.exe{D419E45B-01B1-60B9-BB52-00000000C401}5884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684516Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:09.074{D419E45B-0167-60B9-A852-00000000C401}3527024C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-01B1-60B9-BB52-00000000C401}5884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11e38184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d83546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1126802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112cba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112adaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112adaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ad93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1129e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112abb9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d83546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11290363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1128f8d5(wow64) 154100x8000000000000000684515Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:09.081{D419E45B-01B1-60B9-BB52-00000000C401}5884C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module C:\temp\AzureHound.ps1C:\Users\Administrator\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000624164Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:10.366{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58D143838516F858BA390D87C8BF123D,SHA256=223430B9BA8C4A6E5C364803A2C7AC213DD093412EDE5E0B2A0F323AEE4BAEEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684546Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:10.917{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32097E1BBB603E06B2B66573A9649C21,SHA256=0338F9E741BDEEA2F99D6EF5AC6866409C28D01F2CAAE69C796C168DBA7BFED9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684545Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:10.277{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95BE6BFACA58E80EE545A0886D7698CA,SHA256=F96E6B5987F3E7D5E18FA69209E3FAC60D61D25A093C55F533FB541D5AB82E09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684544Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:10.120{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C1481B7BE127363BC679BBB8598FF481,SHA256=E0DCD6D3ED5E6F77477FD4402401BB5C7C4034CC1E864506AB45521EDC8F4CC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624165Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:11.397{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50406C3A9DE569E4F45086F7C292816C,SHA256=EE79C1203E403F52E3D80C8319A552972974EC27742E3EBEF50D127840FB3C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684548Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:11.949{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97C7A385A184465B1B0B0402D2EA36C2,SHA256=8A02301957B1637F9ACFBE6AD64AF0F7DF45BA0B62BFFF7EF4FCAFA5DF25DD22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684547Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:11.308{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10382476CAF1FDAB4ED8A60FA96F915C,SHA256=2B076A6A5711978F254D2366FFB11FFF9E0DE877699A8DEEF7F1EEFED398CA35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684549Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:12.324{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=981915189EFCD58892BD6E480004EEF8,SHA256=B9A436108FF213FFECC4C83202AABFE7126ED016ACB6F0582871A5995C7278FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624166Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:12.413{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70270AFB7CB5FA93BBC18A5351B8D183,SHA256=9AF7291056D18E397A877175DFBDC6F696A53BA8D0F6CB0186F505F1CE85A96B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684568Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:13.917{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-01B5-60B9-BE52-00000000C401}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684567Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:13.902{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684566Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:13.902{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684565Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:13.902{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684564Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:13.902{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684563Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:13.902{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-01B5-60B9-BE52-00000000C401}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684562Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:13.902{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-01B5-60B9-BE52-00000000C401}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000684561Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:13.903{D419E45B-01B5-60B9-BE52-00000000C401}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000684560Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:08.659{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65096-false10.0.1.12-8000- 23542300x8000000000000000684559Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:13.324{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D544135721D3977148855E956531100,SHA256=30BB870D82913428701731B747439D7D0E2FDA5E055F16C59F0FF175DDDF69AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624168Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:13.429{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64CA58A76D3A3FA82083AEA50A61C1CC,SHA256=A42256D282F7957C9F1E19B873ED2D67221DB00304181DE7C7144845086D2C91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684558Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:13.230{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-01B5-60B9-BD52-00000000C401}4852C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684557Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:13.230{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684556Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:13.230{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684555Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:13.230{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684554Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:13.230{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684553Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:13.230{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-01B5-60B9-BD52-00000000C401}4852C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684552Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:13.230{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-01B5-60B9-BD52-00000000C401}4852C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000684551Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:13.215{D419E45B-01B5-60B9-BD52-00000000C401}4852C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000684550Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:13.214{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=176C78B5D2C5E2D27A82C02CD73E47A7,SHA256=2B73BA569316C9CDBA85EF3210C77BB09F637DB19D9A44B83EDB771CB1AE7FDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624167Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:13.226{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BD56D22F2179EF359A09F77A269D1FA,SHA256=67F20D926F7E4D64D6828C3584D1A9DA2DE8E689C6CAC0A535FD1199F0D1064A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684579Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:14.699{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71BC1CD5D62BE2B2C54B20770EEF67FE,SHA256=CA8913DD594866E4A31C31AAEE2354C2632B9B948D3C324C92248B1C1383878B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684578Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:14.402{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-01B6-60B9-BF52-00000000C401}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684577Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:14.402{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684576Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:14.402{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684575Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:14.402{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684574Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:14.402{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684573Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:14.402{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-01B6-60B9-BF52-00000000C401}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684572Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:14.402{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-01B6-60B9-BF52-00000000C401}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000684571Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:14.403{D419E45B-01B6-60B9-BF52-00000000C401}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000624170Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:11.086{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51633-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624169Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:14.429{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF4BAD02FD245624D9B453F7B5040DC6,SHA256=1A1BB2BECAEB4F82A9EEA666E61A3C71CE803E6E8727395D0DBAFBCED6B0B59C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684570Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:14.277{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBAC7D55AF2E42A353360D391201DF9A,SHA256=309A9DDED26CC789EF1CBA3A7E38AD233972260B9D7BDE21DCC07C6C9E1501C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684569Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:14.183{D419E45B-01B5-60B9-BE52-00000000C401}41807068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684617Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.933{D419E45B-01B7-60B9-C152-00000000C401}22164460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684616Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.855{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684615Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.855{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684614Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.855{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684613Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.855{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684612Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.855{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684611Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.855{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684610Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.855{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684609Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.855{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684608Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.855{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684607Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.855{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684606Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.855{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684605Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.855{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684604Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.855{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684603Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.855{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684602Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.855{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684601Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.855{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684600Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.855{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684599Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.855{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000684598Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.839{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC17E7E2CC55558A22F3BD4B324AD199,SHA256=37A9AC8A35A0C500C1B79C30C431E60D9D68B78D9EF8CC2CB6C47DBFF0530A8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684597Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.761{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-01B7-60B9-C152-00000000C401}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684596Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.761{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684595Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.761{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684594Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.761{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684593Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.761{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684592Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.761{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-01B7-60B9-C152-00000000C401}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684591Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.761{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-01B7-60B9-C152-00000000C401}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000684590Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.746{D419E45B-01B7-60B9-C152-00000000C401}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000624171Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:15.429{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDAB8CBBC526F91D330E20311B33EE20,SHA256=3ECDFB612F417155BF051FA550F632B87F547353A856B8C40F06C0FCF119449A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684589Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.433{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFBD427D741B29F31BE3D508E1B7B4A3,SHA256=EC78D43AEBEBCFC2A21A4FEF43E87B6C2EFA3E4A8C998A5B1CDAD147EEDB0AEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684588Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.246{D419E45B-01B7-60B9-C052-00000000C401}7156712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684587Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.074{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-01B7-60B9-C052-00000000C401}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684586Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.074{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684585Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.074{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684584Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.074{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684583Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.074{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684582Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.074{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-01B7-60B9-C052-00000000C401}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684581Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.074{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-01B7-60B9-C052-00000000C401}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000684580Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:15.075{D419E45B-01B7-60B9-C052-00000000C401}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000684628Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:16.980{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D22524606AD3599BD22F8C01E6155797,SHA256=F71A0CF37928FEE3E701560E1731AD0E3468B3C7C0FA03041BCBD95B9F4E7704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684627Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:16.777{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=396DA67A64A0831D8D655E0944C1BDFE,SHA256=6A0DB166603E7AAEED2CCBAD13B39A911058960FC79F08D1CE9605EC3F6EEA4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624172Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:16.444{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=392DBD8C87A70A7CE0E6D230BFDFAE74,SHA256=713594EE0D7B97A762FCB9C7952D59DA52A15312FE15FD8BF3FAD3959EE48323,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684626Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:16.620{D419E45B-01B8-60B9-C252-00000000C401}70085708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684625Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:16.433{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-01B8-60B9-C252-00000000C401}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684624Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:16.433{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684623Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:16.433{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684622Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:16.433{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684621Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:16.433{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684620Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:16.433{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-01B8-60B9-C252-00000000C401}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684619Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:16.433{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-01B8-60B9-C252-00000000C401}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000684618Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:16.434{D419E45B-01B8-60B9-C252-00000000C401}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000684637Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:17.824{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA9ABE793C476E98E5C7EF10A5944429,SHA256=B2A38831BAC045ABEC1B05BE9EED933972F9B4B782DF1B3E49A2F52161008B54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624173Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:17.444{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A695AFA2FD0E0886EF5F94B3285FE1A4,SHA256=AA5FB3D031B974A346E03785F8B314FBCBE293C312A1D29F7FC520E42357042B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684636Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:16.996{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-01B8-60B9-C352-00000000C401}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684635Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:16.996{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-01B8-60B9-C352-00000000C401}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684634Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:16.996{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-01B8-60B9-C352-00000000C401}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684633Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:16.996{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684632Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:16.996{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684631Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:16.996{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684630Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:16.996{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000684629Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:16.984{D419E45B-01B8-60B9-C352-00000000C401}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000684640Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:18.839{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EED6BCC33F476FA85AE3B509475C623F,SHA256=86B0EFE5346AF19FDB29F9095A6E19376774BD53D8D3DAFA17080742849D62C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624174Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:18.444{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46D874DABF2F6C4B698C250C0871D62,SHA256=C0209B6E06D79DF9A5CADED277D7ECFB2C7EF620692210E20D1614248DE405C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684639Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:14.643{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65097-false10.0.1.12-8000- 23542300x8000000000000000684638Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:18.136{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B9475E0FDDB854C1E3C5650D5E84B36,SHA256=A3E2A983A6651388CD500D9399A41E754EF8F84D0EA83ED99712127AB0C79742,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684642Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:19.855{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B3C6F8E00990020DF9DB1180A99AF38,SHA256=39079B1B69FFBD76D9FC5541E5CB4AEDC014073B6FFA2328D5D7F0B6D344DC76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624177Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:19.444{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B08F01A21DC3D84D7F258230D527186,SHA256=3F83EB82F76FE6E5DAE72CBE373AB544C5C81ED256C8632606AB82BA9022312F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684641Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:19.277{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66A7AFDEB8B614F3E3ADB28F7E47C15E,SHA256=9BF5169F66EB95B7E483EBADE074F79622056E2BF875EFE895B952F07EB5A323,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624176Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:19.194{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C52F7733B5F5625E3ACB9B0C461A4E5,SHA256=0F1AB08412EE3B0BE81EB9CDEED14C45529D4CA66B8753375999041215B4758B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624175Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:19.194{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD604CD658F0F7B9FF3E06265E286774,SHA256=8F0104A66FE02E072EB6BC984D1B4A44FD6A136A269CB565249F4FCC77E826DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684644Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:20.933{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B70C59C62D365BA41624F0333E50C3F4,SHA256=DE346ADE4087D0E9F19C59C6271D8FD523A23A268A49448F8C9BFAD625B5F089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624179Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:20.444{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F390D9E76B31EEC801C40D9128225A10,SHA256=6E74A2A5ECC878FE0456C6B7B30DF2B355600CA42C6B1BF04417EEF607538FEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684643Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:20.339{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23FEF72C3F61EB66D0950A56F536F538,SHA256=0C281E14E0A7785265BC1053705204B632B92FFB91DF639ED6B0E150A0CF117E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624178Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:17.054{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51634-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000684646Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:21.949{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C48B1D6C0EC72F68B3EA4707465401E1,SHA256=0B0D40F81A9D649CEDCE8364B65E68EA99D1A61C3FA040CB90C2503124B3FFE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624180Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:21.444{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6AB280EA5D6AEF8641210E2F7C2C1B3,SHA256=C8EAD40E9ED84329EE20EB21F7B0C5D3D1107AA9AE71E9E822F708EC93BFB2F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684645Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:21.574{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AAC315DA5337A59785E370A1B02ABE4,SHA256=EC46C0BC1E4C9975FBA7C6E83A9AA413DC7A84DC54B2D97F89A4E891BE8F927F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684648Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:22.974{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=930975C8AA5DC4F89EC0CA1E5139A714,SHA256=192BF06280829B9FFDE59D8ADE51124B5A1B450FB69855A03E3F28A5511C2602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624181Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:22.455{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC28A7A80589886E39E252D2F0D1569B,SHA256=35AF40508132B17BD355522D89A686862322C121C14AC5776829A87266426630,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684647Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:22.803{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A26C84AB9AF03CBA60C688654AA0CADC,SHA256=6CB9B7FBBF1FB90909E71414BF56BCFDF88396A9076B9BC1CE2A61C0B368617E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624182Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:23.455{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38EA6D054F1820B62F17CFE63B5DED13,SHA256=76FCC6153F9EE1BCE8FD201DBC7469CD9B4F6E1A09ABD27A039E4A295E71AB0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624185Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:24.455{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=379629C5505D4910BA06738B95CD2DFF,SHA256=262E463FD0806DA6C1F1E1795618017F52E039CB9A61BA49E2F42FC06CD062EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624184Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:24.455{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C52F7733B5F5625E3ACB9B0C461A4E5,SHA256=0F1AB08412EE3B0BE81EB9CDEED14C45529D4CA66B8753375999041215B4758B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624183Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:24.455{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C851B70E669AEBF491168D7A2D8307D,SHA256=30DB4CAB2163E75FAD15EA8F0FE0F1E8EBC7C26E57D7CB5E43CA2514F33335D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684651Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:20.544{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65098-false10.0.1.12-8000- 23542300x8000000000000000684650Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:24.131{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2B5DBAE75C94BD8615177B81B71327A,SHA256=24B31627718E24B7B19740739D4AA91ABB41A194124FCF51FEF9567CB27BDA0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684649Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:24.006{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9453D3945609ADDD946DEDE6A928F1A8,SHA256=44D9CF93C5ED2AB1AE5D96F3DE84FEAFD11CB6CC8BFEB1F0B209DB467709D210,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624187Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:25.455{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B2A63F4DA87E494E1B1AFEE2F015F9,SHA256=1AF1AB870281944B9E1B0D237EDCABB360F65864E94463AF9089D4AC7550B709,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684653Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:25.287{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BD49AEBF67859658D222664F45EF992,SHA256=20721C4441B64AE999A850C9C88CD25FC3CA11286EB63D5D4DFA2B852417B7E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684652Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:25.021{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C164D873EF773D9D01AF3CA617BC6576,SHA256=A617B874F09D776B7B3E3AF5EDF4AAB1F2C1204BA9AADCC33FFFBDE2F703EBDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624186Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:22.112{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51635-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624188Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:26.471{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=492FEF1DFC489E5BF622FCA410429A0A,SHA256=DCE097AE2E545EB69DE5A82F5FE33D44B76AB3197FF62249AFEC240A958D8873,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684661Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:26.631{D419E45B-78A4-60B6-BF02-00000000C401}39765176C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684660Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:26.631{D419E45B-78A4-60B6-BF02-00000000C401}39765176C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684659Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:26.631{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684658Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:26.631{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684657Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:26.631{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684656Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:26.631{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000684655Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:26.412{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=568ED4192D355701302983AAD13B0D01,SHA256=E12CA64AA8C2B4E7B4CDAFE1FA0147E472A78863D8DB5A4AC50C0A0320590284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684654Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:26.053{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0A0172AB087E390CFC8162D51204EBD,SHA256=D508401C04922E12E7B632E9D89E18982FA0A9166D974C61527E1486C22C4C3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624189Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:27.471{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=223CD0C88FFE4E7AA7DD9BDE789508BF,SHA256=83257E87DAB28B3E7869E07910540BF705B5A3F4B777726553CDF992A4ED49D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684663Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:27.584{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3BEE4C9B29292EFF8BF7641FEE45F22,SHA256=3DC21462A0524FC469EC6BD36420941BB55BA618DD5417D0FE70E454C666778E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684662Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:27.068{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=754445525AE68F854FA4A6C75A28C4DF,SHA256=D9C85F0CBE2C72695BA22DC3A841079C7ED8F8D49B24929F65B96D0EFE23E9B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624190Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:28.487{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC709BE64508CDABE9D5EF7A53D7B445,SHA256=4EDB958EACF63F5B4CE5168025D0B46E61CECF089DB814BF552D6E1C98EC2C6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684665Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:28.818{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=815BD3AA746C854070EB6A39536E854F,SHA256=3835C332AAB2DCE0AE7005BCC38BCC6E3D78D239FFE9FF08D1151CC4B8E30FDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684664Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:28.209{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0C1FD1FA3EB6C4801EDCBE83B5CA218,SHA256=25AED6AFE9105391BA2CE042C3DD1E0D46554ACE995B4DE7D93AFD0B7936971D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624192Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:29.502{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C826E20BFC1B0BEB611BC92D9987CA03,SHA256=0F1DE577A00C4978B5F9452564A24F56CB11BFCB9C3DC0376C53F7DEDCE8D975,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684667Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:25.591{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65099-false10.0.1.12-8000- 23542300x8000000000000000684666Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:29.224{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7135A002E7362413E14B32ADF3C53F81,SHA256=54C2A806D0621E46ED356F405307147F94EA413418972F844E3DD6040459B573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624191Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:29.393{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF9ed6191.TMPMD5=50C3F57E9B17DAD0DB73AD4F64FDB6ED,SHA256=86D53DA9ECE564538A00B5F8E963CD8B3B67CB52F8A489C6BC9DE193528D6A7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624197Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:30.752{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A5216B98F83F48D65B4E759DA05C80AD,SHA256=E4FEA8D792CC31755A0056A1D53BFFC73BB933A94CC5F96FF3EB2D3387306B35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624196Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:30.752{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4BCBC2AC501FF51A92B6AD51CCCB6D50,SHA256=F6B9EF5E8BE87CF2D53F619849FF4A7F16D362D4DD8D632F990609D72D56B940,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624195Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:30.502{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F92E3965EFD1E289CCF3430E9669BE96,SHA256=C2A270CA6530BE957B938C259090897617EC1CC19148B37F84176013F2AF4E7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684669Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:30.256{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=763EF43FEFAC5983C3498FFFF7FB61D3,SHA256=58F5BE19C2A4076BE90174EE3876805463CF19907957D4590FF54D6070138776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624194Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:30.174{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00EC4F1204FFD6747DE3057D2697BB66,SHA256=9558F73F420E8A397CAA165630F27AB87887493364BCCD8DF5C7972BED42921C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624193Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:30.174{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=379629C5505D4910BA06738B95CD2DFF,SHA256=262E463FD0806DA6C1F1E1795618017F52E039CB9A61BA49E2F42FC06CD062EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684668Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:30.084{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=926FE3EB156C39B6B4C843CBDFBA88FB,SHA256=2705501FB7E5861FA3451F6A53C4468DB6191F8090BDD28B4AAE4449FE7F4CA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684672Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:31.412{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=103DB846BA7EF7B7A48AF98782F2B415,SHA256=E897C5645863FD62C123F0301AB1E73BAB22DBFE6489F337353AF976DEF1C66F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684671Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:31.256{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80607D3FF3A497972829D5C719D7E6DA,SHA256=B730627AE1E4764BC83FD7F2E9D77019E054378A8CBC8A4D70B4A657F18C0AA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624200Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:31.502{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00EC4F1204FFD6747DE3057D2697BB66,SHA256=9558F73F420E8A397CAA165630F27AB87887493364BCCD8DF5C7972BED42921C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624199Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:31.502{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29FB22E7D552722C44D8F92F61C077C3,SHA256=F8BC9BD7C3F9725C00C9A1AF3BC7A6B2B5F244D2F6DB05B0776076597B6356B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624198Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:28.034{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51636-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000684670Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:31.146{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4AB8D76C76C7AB6F1CB6BD6383797AE3,SHA256=57C4ACCB9CC731D08BA24D24FA578AAEAD3D4093ADF7CFC7123A5DD91C7E8135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684675Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:32.756{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=14610206B93389181CF3827B71B352A6,SHA256=6C33168B4D63745B5BB8D7BFFF2BE9BF950A0BDF4F588B6DB9AB03E5F4EF29DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684674Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:32.553{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07585AC97D604407E904C457FCD0290B,SHA256=2E95AED01FD66D2E60B5F14B6FDA4297060348CF8DA7660AD3CAAF5B90F730F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684673Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:32.349{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0AA6759F546C072F5851A12AF530A91,SHA256=D94C5315CDAF6380B7B8547EC84BAC2B9E88E2BE23E7E520768ACACDFA293452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624201Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:32.502{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E48A8F2960C04E0670892F598AD2333,SHA256=7861090CB1D0B1113EC05CE06FBCF89FA16F9FECD9477AB3A328A07FD5F4B333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624202Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:33.502{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFE725CBC8770F85912D434F1BC63104,SHA256=83BE95E09C96A9025DFF73B67440BBD7F068E2AAE7259AB0592823ED2A55B21A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684677Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:33.865{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64D9C057366B3C765DDABC2916AB47D5,SHA256=EA22D1B8950471024E49FFDB053016CB37BC0305B3F8495F2D71A7F0D65C4171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684676Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:33.349{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEDDE4DE3C78E2A49682DC53CCAF7988,SHA256=742802F547702E1A68D71C22D1BDCA1667C4A4282FF3619167A744C0A86472A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624203Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:34.518{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F1B4E530DAEE51B170684652FD3166F,SHA256=20EFD800E8B20BE465EA92B323DD95A89D1092835B74EA0F46179B18A77F42AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684684Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:34.740{D419E45B-78A4-60B6-BF02-00000000C401}39765176C:\Windows\Explorer.EXE{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684683Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:34.740{D419E45B-78A4-60B6-BF02-00000000C401}39765176C:\Windows\Explorer.EXE{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684682Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:34.724{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-0167-60B9-A952-00000000C401}7032C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684681Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:34.724{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-0167-60B9-A952-00000000C401}7032C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684680Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:34.724{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-0167-60B9-A952-00000000C401}7032C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684679Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:34.724{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-0167-60B9-A952-00000000C401}7032C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000684678Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:34.428{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C16ED42494B225A9680EED5DADA65B7,SHA256=8FDF6CB587B24384A0DF87DC9B9F6C0392B81FD60AF3065C12959C0C9ABB362C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624204Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:35.518{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B5532FBBFDB85CBF37CB877F497245E,SHA256=7B7A035773CA49FC3C1BA14D7BF66012F64DD846E3B6E6BEF21F27F279C7B4A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684687Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:31.528{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65100-false10.0.1.12-8000- 23542300x8000000000000000684686Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:35.428{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A199C830D9136A2AAFD5A62FF520D253,SHA256=353E658EF2B41E197BC07F375B0DFF1387C59B6657ECCAE4B6CAAD6E4791002C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684685Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:35.006{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EBB1D9488B29B992A461943E87BDC2C,SHA256=212EC92CAAF59C99A9722FC4BBEEDE4F3686E09EB2867C46D74A710FFEEDE4F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624206Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:36.533{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A657A6D73B76DF1D3774CE26143F315,SHA256=D23D175A6621E7202DC09230D91CAAD3354A13B4B52A302631462A9C43D180B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684689Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:36.443{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5667B6EA7CDD5ED3853667610CA20A47,SHA256=1DB6AB15FE698D80DB841709336EF1CE300CDCE6A60813154FB3A7DF0D970B47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624205Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:36.143{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AB2D7E17709C9C9C7C175F61FC873CB,SHA256=303D59046388D209532F8B9D038CDC76D04C898E00264B729E0D8C62C893150D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684688Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:36.146{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A28C96C2E2D2AF5895FD3E496D54544,SHA256=908E628BB2D0F539298CB378E78B89725F1235285ACDE9401144AAF1AB4CAE92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684691Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:37.631{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C38E58C1FBBFA95167BD0734417DC741,SHA256=17DB54F6C4E4AEC9A596B5CABCFC642651CD1A9B9C511C4759C51FE761858E64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684690Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:37.474{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9D03EC900C7EB8F5AC1E4014DC636B3,SHA256=59558B52D1E163DF830480F617A777960C6EFDBAD8C45DDDDB7E832508276BA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624208Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:37.533{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A0C025A3903E7328471FCEE8B301D5D,SHA256=AB278DEBC48EF4C08C2A043BB7387B929CF0E3F1FFC6B2F0D43035993A8E938D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624207Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:33.940{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51637-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624209Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:38.533{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5223796CB6825AABEC8395078EBB8EEB,SHA256=213CC777CD86B8F22A2396463423AD2CD1EC20A06674AF9FA9F1F057DF765777,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684693Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:38.771{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E276DE704DF8302358AF37727EDE97C,SHA256=661C1DA582D035336EE2DC2C7B132A997E9A3AF2B409EA967D64A2598FA25A1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684692Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:38.490{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87005951A4A13F39072932CE05D22669,SHA256=E7A26148D2B9BBB41AF1A3537F5016D64F5198DF9875CE7194CAA07F29EC7A73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624210Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:39.549{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB6F03365129442DA9CAE340590EC8F,SHA256=D80B6491F1E31984DE95766E264B4771B74466B03196046ACED02392C31A3578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684695Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:39.959{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C086CDC96673658E2B2A24F778C61FBC,SHA256=14D5629F16DF96B177AB6F9ECEF7E7DBEFCFAF7163B7B7795C7975B133F380B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684694Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:39.506{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF590814AD996F36AF08347AE190473,SHA256=69EF9FE3A35BDA678069BBD8A7A7CC60F3C285BD1B54B986456C20E48C286A70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684696Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:40.521{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71C37E642A2350801070288F82C8F4A5,SHA256=51FB372FEDED73EBA95364301DB6B93249439447A67CBBC26316011DEFAA43CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624211Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:40.549{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B95C10E6F88D68405DF34C8F32F58E56,SHA256=BEAD2080EA0DD513FFE4C6C8D1FE41B96DF25C65D71BB7CC02EAD2260A159F6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684699Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:41.553{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E825F4638208506B5C2CF0AD15629B08,SHA256=7E16833098515F1AA802D9350C7AA50EE831F1B9734A968748866E6F4B611CDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624214Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:41.549{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52F3F0F16EE2856CFF58FD6E439F3116,SHA256=7C926162E09522D39F05290A99C70A1346585DAFC1B6C0C336EA2C764C54BAF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684698Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:41.162{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4ABC3F000FD5EF9D0B64AAA9F265C71E,SHA256=64A44B77D09CD50446296193D76CBC9DDEDF89DD8EFBA00BB10DCF43A962C65F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684697Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:36.638{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65101-false10.0.1.12-8000- 23542300x8000000000000000624213Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:41.143{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=627EFA8AFDD989CB75B6B435DE12A1C3,SHA256=06933A8381C089C6345497BCC87A55C5460F1324688F2D2BC6385882D9812305,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624212Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:41.143{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C1D1D1197AF6A70EAF3C0331D941D4A,SHA256=0ACD6AD01E84DEBD7D1847E61669C5E5640A09339C9AD4FA7C1EE5D9D637C00D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684729Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:42.791{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F6D35167149904EAB535D5291B687A2A,SHA256=7AA5320AFE5586416B6F206ECE047966FDCDDE0C8D9B968ADA3B73177A05C96F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684728Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:42.776{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B0077704286FC1FFAF46DB6B5D2A642,SHA256=FEABF0A6E0062F304CE74726734F040522B2225F9AA838430836FE42122BDBD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684727Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:42.776{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=31AE9BF81CE15717B475CB6520C7B5DA,SHA256=6BB1CB1517BA2D3D1BB244A8BA0F951913E3C01689B17824FC77EFA19A7FAA7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624216Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:42.553{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0F997EFDB44BA45C8B6CC3198195904,SHA256=4CECDB4ECAF1103333F20A20C0025BE8F481A09492C428F097667530FC8C0175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684726Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:42.494{D419E45B-01D2-60B9-C552-00000000C401}5620ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684725Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:42.416{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75F44D32BCCF0700BCBE538C5BD494DE,SHA256=EBA883B3861366D0205A6528510FC1A70625E653CDF33CB4C344F31E3C76ACC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684724Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:42.416{D419E45B-7530-60B6-1600-00000000C401}1268500C:\Windows\System32\svchost.exe{D419E45B-01D2-60B9-C552-00000000C401}5620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684723Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:42.416{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-01D2-60B9-C552-00000000C401}5620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684722Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:42.369{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-01D2-60B9-C552-00000000C401}5620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684721Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:42.369{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-01D2-60B9-C552-00000000C401}5620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000684720Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-CreatePipe2021-06-03 16:22:42.358{D419E45B-01D2-60B9-C552-00000000C401}5620\PSHost.132672109622591055.5620.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000684719Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:42.338{D419E45B-01D2-60B9-C552-00000000C401}5620ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_gx2umg02.nnb.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684718Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:42.338{D419E45B-01D2-60B9-C552-00000000C401}5620ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_mscbmqos.tz0.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000684717Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:42.323{D419E45B-01D2-60B9-C552-00000000C401}5620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_mscbmqos.tz0.ps12021-06-03 16:22:42.323 10341000x8000000000000000684716Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:42.307{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-01D2-60B9-C552-00000000C401}5620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684715Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:42.260{D419E45B-0167-60B9-A952-00000000C401}70324392C:\Windows\system32\conhost.exe{D419E45B-01D2-60B9-C552-00000000C401}5620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684714Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:42.244{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684713Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:42.244{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684712Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:42.244{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684711Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:42.244{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684710Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:42.244{D419E45B-78A0-60B6-AD02-00000000C401}2284924C:\Windows\system32\csrss.exe{D419E45B-01D2-60B9-C552-00000000C401}5620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684709Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:42.244{D419E45B-01D2-60B9-C452-00000000C401}3085256C:\Windows\system32\cmd.exe{D419E45B-01D2-60B9-C552-00000000C401}5620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000684708Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:42.259{D419E45B-01D2-60B9-C552-00000000C401}5620C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe import-module C:\temp\AzureHound.ps1C:\Users\Administrator\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D419E45B-01D2-60B9-C452-00000000C401}308C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module C:\temp\AzureHound.ps1 10341000x8000000000000000684707Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:42.244{D419E45B-0167-60B9-A952-00000000C401}70324392C:\Windows\system32\conhost.exe{D419E45B-01D2-60B9-C452-00000000C401}308C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684706Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:42.244{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684705Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:42.244{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684704Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:42.244{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684703Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:42.244{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684702Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:42.244{D419E45B-78A0-60B6-AD02-00000000C401}22841824C:\Windows\system32\csrss.exe{D419E45B-01D2-60B9-C452-00000000C401}308C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684701Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:42.244{D419E45B-0167-60B9-A852-00000000C401}3527024C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-01D2-60B9-C452-00000000C401}308C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11e38184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d83546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1126802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112cba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112adaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112adaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ad93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1129e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112abb9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d83546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11290363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1128f8d5(wow64) 154100x8000000000000000684700Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:42.250{D419E45B-01D2-60B9-C452-00000000C401}308C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module C:\temp\AzureHound.ps1C:\Users\Administrator\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 354300x8000000000000000624215Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:38.971{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51638-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000684732Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:43.869{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEF03289AE1C4742443F847E6D957EAF,SHA256=89194D9A45315BA266B160A6E3B871376DAEE8D2DE69CDA27E5C4719E265A9D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624217Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:43.569{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEA1AF5338D03C624505D91FC70CD332,SHA256=DE8C561058B6F22455FE1E1A6755342BB2FD6511EFAD7FB13ABD797A8E1E4FA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684731Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:43.791{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BC0A13C7FFE402CBF50186441E52316,SHA256=A0B4CF287DC864E906CABFEA9B2D438A0CD3DB5561B4418C9CA617CD4251A6B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684730Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:43.291{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0A8DC8CF992DB4CED3BDB1C938B831F1,SHA256=6E31ABF24B9BA2CB941B537DBE25997173189DBD05AD9F7C9C8C35AF32EE00D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684734Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:44.901{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9001820EF6D39DEBB11BB8C89307DE4B,SHA256=87BD3E4455433775B582DC8B09EE91B1FF05B53213A0015715F4374CB35FD014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624218Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:44.569{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAD79F31D4E81AAA789582C79FDA0FEE,SHA256=9D4A0F08F0B24BE32F27804601076DC07A4D6D1BAC5AA27E8B5DA05C6505B06E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684733Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:44.823{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67E2CC9FE04DCDE24537AC356E9A83EF,SHA256=4C6B368D973A71BCCF34EC0F1530E432A6EB54F1DF41A7140DED3DEAA1C880D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684735Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:45.994{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC4BA27570EC45FAB79EBA3F39B8FE72,SHA256=3489384EC55C8ECFAA7D0BDDBDBECC68A159C5ADCCF67DA0BD31AA5F38E688F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624219Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:45.569{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E28DCEF265541797A16DCC249A879A05,SHA256=56E432FDBC6CE6A4502C9F4E430B86A2A2181C96C49DC4A7A5EAA4CF2B74F745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624223Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:46.585{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E8D19F795F0316D40A2BBC29FBE2B52,SHA256=F1C781B92FAC4BED92CFC5706C68E9EB7B7798713AD4833DAA412BF0FFC2B67A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684736Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:46.041{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=099B5200433DE24DBE58AB0DC056A55D,SHA256=9FFE718BCAB5ECA833962083335A8653BCE31AE1615A8D641A005EFEC0DA10EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624222Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:44.116{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51639-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624221Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:46.272{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEEF7FC53290FA0A597E35298D5F99B3,SHA256=A4BA9B9414A9CD195C635B7934ADF45ED06C92BD14E24AF1BF957541642D2096,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624220Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:46.272{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=627EFA8AFDD989CB75B6B435DE12A1C3,SHA256=06933A8381C089C6345497BCC87A55C5460F1324688F2D2BC6385882D9812305,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000624233Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:47.913{97C2ED32-01D7-60B9-245D-00000000C501}58125904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624232Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:47.788{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-01D7-60B9-245D-00000000C501}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624231Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:47.788{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624230Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:47.788{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624229Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:47.788{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624228Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:47.788{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624227Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:47.788{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-01D7-60B9-245D-00000000C501}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624226Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:47.788{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-01D7-60B9-245D-00000000C501}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000624225Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:47.788{97C2ED32-01D7-60B9-245D-00000000C501}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000624224Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:47.585{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E50CB005B97DAB1901ADC9406A39798C,SHA256=2929EE7BE16CB4BDA4DEC6924FBFDABE75F0E3071128200B4C284943AAE752BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684739Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:47.213{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C167D24A49DBEBFF9A2492730922BEC,SHA256=EE73FF964A516D7AB74B13BB554F02004AD9BB8E285FEBA22B7C5AE870637EF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684738Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:42.533{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65102-false10.0.1.12-8000- 23542300x8000000000000000684737Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:47.010{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F3AF354161ADBDFB78924F6F2904750,SHA256=71E598A8DD4B37AB55F2ACD8DEBE7D2E5D34D2698D9B0FD61715434E750C1068,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624244Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:48.803{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEEF7FC53290FA0A597E35298D5F99B3,SHA256=A4BA9B9414A9CD195C635B7934ADF45ED06C92BD14E24AF1BF957541642D2096,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624243Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:48.600{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFDA83BDF6EB8F872DAF5F1A41D053B0,SHA256=5A345CEB849BA0E1F27DE0EFD30121B928CA06E0AA7D7DC3268F869095E55C88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000624242Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:48.585{97C2ED32-01D8-60B9-255D-00000000C501}60125800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000684741Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:48.338{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CE4814D201AE82192B4D9740EC2BBA9,SHA256=0DF4E25B8048F8920F8D5CAD1517374DABC58578D4B2D772B9E573B0AFEBBB07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684740Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:48.026{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45D0A9C0C1251F8401FC0BFA4EDC3D81,SHA256=794C2505D1384B4C2899C5B243F14C7387537AF6E34B6DFDABC9EAB9765FAAD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000624241Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:48.460{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-01D8-60B9-255D-00000000C501}6012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624240Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:48.460{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624239Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:48.460{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624238Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:48.460{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624237Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:48.460{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624236Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:48.460{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-01D8-60B9-255D-00000000C501}6012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624235Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:48.460{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-01D8-60B9-255D-00000000C501}6012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000624234Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:48.460{97C2ED32-01D8-60B9-255D-00000000C501}6012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000624261Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:49.647{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-01D9-60B9-275D-00000000C501}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624260Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:49.647{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624259Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:49.647{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624258Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:49.647{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624257Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:49.647{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624256Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:49.647{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-01D9-60B9-275D-00000000C501}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624255Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:49.647{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-01D9-60B9-275D-00000000C501}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000624254Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:49.648{97C2ED32-01D9-60B9-275D-00000000C501}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000624253Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:49.600{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB60994DF3CB7A9B540F4B1C284CC682,SHA256=5AC458ED709A330A477D14B0A803EE7B36D9DC735D7217C47E49D090E4CD27A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684743Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:49.494{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF1E3FEB10257AD1BB80212AC53268E5,SHA256=1FE21CE33C823499924675A5D9116651CBFEDEB6360AD82D7E0A0D978A4F7EBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684742Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:49.057{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5027ACBEECCD26786F7EDC45B073806,SHA256=3095A8ECF80AA9E29C7C4DCDBD7061FDE6E9593625EDEB57B493767FCB77AD91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000624252Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:49.022{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-01D9-60B9-265D-00000000C501}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624251Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:49.022{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624250Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:49.022{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624249Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:49.022{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624248Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:49.022{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624247Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:49.022{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-01D9-60B9-265D-00000000C501}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624246Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:49.022{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-01D9-60B9-265D-00000000C501}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000624245Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:49.024{97C2ED32-01D9-60B9-265D-00000000C501}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000624280Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:50.944{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-01DA-60B9-295D-00000000C501}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624279Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:50.944{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624278Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:50.944{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624277Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:50.944{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624276Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:50.944{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624275Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:50.944{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-01DA-60B9-295D-00000000C501}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624274Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:50.944{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-01DA-60B9-295D-00000000C501}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000624273Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:50.945{97C2ED32-01DA-60B9-295D-00000000C501}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000624272Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:50.600{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69F664DBBDF42ACE6D9D8405BBB2A787,SHA256=0FD7658FA10EF5E6C2FFC137CBFF6CC388248D3AE6155EC2B28BF0A480FE7445,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684745Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:50.823{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E59C80B9D1282860B7D4E3B1169EA51,SHA256=01B53F7BB687B9119151B4EE590E34D076BC98BD4EEECFFA6F7B5DB661CF20F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684744Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:50.088{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=789369935F6F3ED3528633C225EE2F98,SHA256=14F063DFAC104A8397D4B72A39465DFE757E5DEF04F1BF49E954AB26BD1A2D4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000624271Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:50.397{97C2ED32-01DA-60B9-285D-00000000C501}51006024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624270Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:50.272{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-01DA-60B9-285D-00000000C501}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624269Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:50.272{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624268Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:50.272{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624267Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:50.272{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624266Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:50.272{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624265Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:50.272{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-01DA-60B9-285D-00000000C501}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624264Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:50.272{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-01DA-60B9-285D-00000000C501}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000624263Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:50.273{97C2ED32-01DA-60B9-285D-00000000C501}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000624262Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:50.100{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60FB7DFBEBF70F4E6B16A01D12EECA9F,SHA256=3785B638C9BFA2BA0CAD355AC58EB883622FFBE1C5E8CEFE682ADDC33E637A86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000624291Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:51.741{97C2ED32-01DB-60B9-2A5D-00000000C501}4952908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624290Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:51.616{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-01DB-60B9-2A5D-00000000C501}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624289Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:51.616{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624288Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:51.616{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624287Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:51.616{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624286Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:51.616{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624285Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:51.616{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-01DB-60B9-2A5D-00000000C501}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624284Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:51.616{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-01DB-60B9-2A5D-00000000C501}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000624283Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:51.616{97C2ED32-01DB-60B9-2A5D-00000000C501}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000624282Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:51.600{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E72EA3830F4DA7FC3CBB40B5019330D,SHA256=30998A453804C4ECD0911197AABB874D3C6ACAFBEAB56B7359283DD29093356E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684747Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:51.979{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDE6A78176B24A1E362AF25FBB37C037,SHA256=9F1FE096C6496788F6D48FF2DBB60F89A6B5EB4BA6A2C00DDE5C1EA4ED40A704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684746Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:51.119{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5B23FD22D8BF13FD7B564F8427A198,SHA256=F81023F423FCFB6F6F7714632EACBBBA1A2F3ED0601245D9DB970B4A5D0539BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624281Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:51.272{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EDF6CD824730AED96E334FA7803973F,SHA256=BB5FE8F40D6FAD8DD825970EF12649073D55E5BD11BE1E10F354587D356CFCEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624294Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:49.992{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51640-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624293Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:52.631{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E28B9B0BBFCEFC9B6CCCA056C784CDD6,SHA256=6A983EFA428C41879C71C8AA37C1F22C4FC92AB92886C1279FE848C4A9F7E6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624292Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:52.616{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=105CB4DCED86C58363BCBCB642E2EB04,SHA256=1BEC0D647A1A74F3E48C08905871F61D6A9B97EED7C7041FADC7C4F5BEDAC01D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684749Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:47.626{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65103-false10.0.1.12-8000- 23542300x8000000000000000684748Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:52.120{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33B8D9AA78042E4266E7DFC0AAB8F5BC,SHA256=65574E1F04E2A48124E6FF3541827EAAFD176C67766C547068689C2853B9EC2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624295Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:53.616{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58DC7EF267C6C560259AD631FB5395AB,SHA256=ED4AE8D1AD27306BD43437F26DE1BB5C268291DBEFB6D8F74013C62EF99BCDF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684751Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:53.354{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EC7F464B2E1C102CDEBDDB2F82EC788,SHA256=60233B52343229108D6C54B780832E259591973F392283F6365A83BCE7DAC363,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684750Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:53.182{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEB0A9CCE93BB53846434FB0AFDAE807,SHA256=ACF26EBC0E2FBADE683438C4984B6F21CB775E457F188A73E475F43D7AA56BBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624296Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:54.616{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=218C07FA8FFF82B90972C63FBF98BE6C,SHA256=77B3A230A9877A28D8E23DC71FA9514E0B216D4F51110F5846991CCC7CFA9B7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684753Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:54.666{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5E0C1F938204E552DD3E58CA41FAB15,SHA256=176ECBF9A90E84A924504AF4057BA9B000A9A9660E2C9BDC12CAB314C02233A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684752Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:54.213{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91A0B2E194F5949996A3F24715319ACB,SHA256=EE2D217ECA20E1B93F3112441F7D6740E81CCFF1E5BE7F43FD4F9C3D9921BE34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624297Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:55.631{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F431A0D0644AB5FB7ED792E6D40AE855,SHA256=CB1B32DD856F8574BCC3CFD202406A8A252FDDB6DBABE0CDC5BEE4AEF9EE9A96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684755Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:55.745{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70BBE895692C3A1BE19BB8BF4F211C8A,SHA256=184066C9FC0CAA40F191424325B2A189BCA87DFD2C03870AB9CE1942DA88183C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684754Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:55.229{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE90DF5A40EE16E49BE804A056F55E10,SHA256=BFDD8F784EA51E0E1426001F6712CA5F6B8A026B1089F77EF987AE8667ED2443,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624298Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:56.632{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0327DB049577CCDA116F5F1826A2BA53,SHA256=C23AC15C792427D22139B037184F415724AE66EF65C42F2E128583E9A3F371C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684756Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:56.244{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6F1E5D3DF29E4F925ABF0EFF876CE46,SHA256=C7997FE523B9A0DE6A5A14251FF3AC1C99C3E3E87CC8734BF95F6B89786E8F31,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624301Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:55.101{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51641-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624300Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:57.647{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B45EE61C29624EEA7F18C68FF0EE2097,SHA256=700101391F1590683752C3111B2D733EC45C008DFBFFAB35F3C5876DB35926C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684759Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:57.276{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978BD1EF4C06333381CC1EF482F217B3,SHA256=68E5871F64D7223EA9EB20882DDA4C658F8AB8AA0E58F9E209B1515404698711,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624299Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:57.475{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A702A33EFCC30CA0252EB1D441D62C8F,SHA256=F47E25B782F84A4FDA9A33388D2D80A6B834316DE7BE1131A81DA23BE2DAA8D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684758Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:52.674{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65104-false10.0.1.12-8000- 23542300x8000000000000000684757Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:56.994{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E92157A7C7EE53F57807DA1974E7C441,SHA256=C378249306DFBD6C6ABB496413D154628AAE47A8FDCD15B2548C2B6C5084AB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624302Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:58.647{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97F612CAB1C9380DB5A7FE19F5C24661,SHA256=A479C62039E82EE25BF3897D9D21E2DE05A372578AED5C04E37108B0A9784D1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684761Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:58.291{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=526CB7816387C0B97EC3E9A11C8D5473,SHA256=F804895FA023219D8D0581DDE396DFE65F1897FDEE258D44658188B1148F6ACD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684760Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:58.104{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97176539F669E62373EC50DD62426608,SHA256=5D152C75E64F4FEB8636E304FA506792B9D41A1D03B1F32F8C0FF1D2C00AB035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624303Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:59.647{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8BC8629B4B56AE2151A73783C06FA52,SHA256=6EDC3920A9EA5382AABB7CCF20633A453EA8CA2128CE46F59A4ADCBF25F382A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684763Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:59.619{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C901988CFF3FBDB070FCC8B8BBF94EDD,SHA256=446509630442E4837FB5829B3A7E4852A52F1CC7509483E309C24A07A6BA2DF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684762Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:59.526{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=636C3505F246983C53BCF937656798CD,SHA256=7C6269C32521ED65897DBAF606D1515E6A5060FCF7CD1479BDD1E1F321557D24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684765Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:00.760{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15001BD6C4A50842D9E9B58478DBE6FC,SHA256=B405ED2C9A86959E07879CE75F97F1883851F783FC82D46EED8707726A3A19D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684764Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:00.541{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=141210734D699E8076EFD27E7EFD5375,SHA256=79E5EA58B6496ABD3341A04E5779760BC0A4EB40FD39F7DDFCF917708E2FA86F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624305Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:00.647{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB3823947A489AB6B5C66B48BD7A5E0E,SHA256=1607122D1809868F33CD014EECAF407D7F497A43638E15F309A3D99CF666D130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624304Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:00.631{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624308Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:22:59.476{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51642-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000624307Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:01.695{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE892E6A08BDF474EBA95265237C70C,SHA256=7FA48F748026F944ED3EDD6975305654D5E084E591EB4815838D88462EE677F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684767Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:01.932{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DA6F6D1323B22515F4D802EA62ABD74,SHA256=A88115AA86ADFA675DEBAA7BC1449C560923BDF30B38B2CC9CA0F66CA8FEEFD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684766Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:01.557{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CEB23D67C8FC1E9F9DB8E8B04F4AB61,SHA256=C7713CD64BD8E279EEB11E3B51D28CC092FDF1CAA8BFCFBA7C5D101460AC44C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624306Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:01.617{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA1FD5E75819C97C17AAA849C8D8D767,SHA256=BE925E51F3D3F3FCFBF2A73A1F1A1314748AB737EFE255E9F3373597BEC9F134,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624310Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:02.868{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9A5F888513BC687DF6D55C15D464DD07,SHA256=3CDB65CE6D565C1175449FEC69F1C44E3D268962AF6C9D75EE54D6F4EC988BA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624309Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:02.696{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4E922FF49655666B75CB55B76B0AA5C,SHA256=A5CD3068F7EAB9BFA8B8CF6A4FBCCFB75AD6E108FED92AB1619445716E0F5B3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684768Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:02.561{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B878D6EAA13F3107E37308B5808A9AE,SHA256=093C9D13B6EBC1D40A37080A25FFAE43E8BD0336CE5D4A40544D47F636B11127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624314Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:03.698{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=144A955986E97B9D7E87CC2E834F8CF0,SHA256=B67998FB7E3EB4DE575E0FBD36A514B7666AE38F281E3AED842BCBBBC5592ED2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684772Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:03.686{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684771Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:03.593{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B6ED56BB8AE9CB340E6401BF5781A7F,SHA256=DEDD3A44972DB396235B30B947C80B758C349E84EE10A0C31C446D4F1A2D6E11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624313Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:03.386{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=AB50863FA3766042F69818C5BEFBEF4C,SHA256=1B6A777C779C89348E6D9B2C199A2E961B8335BED230854F4748C5F420DE78BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624312Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:03.386{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A5216B98F83F48D65B4E759DA05C80AD,SHA256=E4FEA8D792CC31755A0056A1D53BFFC73BB933A94CC5F96FF3EB2D3387306B35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624311Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:03.227{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81D72DE60352328328CC7F6827713BD2,SHA256=79222E3D6BC780EC4BC98D38D04ACB06B0661A63779C8C7EB85461ADD1BBA184,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684770Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:22:58.517{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65105-false10.0.1.12-8000- 23542300x8000000000000000684769Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:03.030{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CFFFAB8411FCB3B19EF0E11C9483D47,SHA256=68C02BDB357A64F8E99E2940D96A3544FEB71CAB785147378E6BB473CA913006,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624316Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:00.965{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51643-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624315Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:04.698{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=000B162197328BF54A8C7638F1D46B10,SHA256=4899130949EE0A81288B4D3C759A419C439E387BB7FE3DAC733FC31A4AD25AC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684774Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:04.608{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8746A61A27445A89E9D0C53A211F5B4F,SHA256=9776D19A7250FA8D2773080F7E063222BCAB1E2C82C76E9663B689E4FA0D9DEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684773Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:04.265{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67C3062AF8134B980432979C6DA65FC5,SHA256=C9A117D3B44F20F8D1E56A15F978CD819CFAC2FB023BA0FD9C589EB549DD4C4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624317Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:05.729{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F7D7D72F37CD7807D7D29715253F8D5,SHA256=AF135893E9AD3C385BD0012B2DADCA61DD368B9FF726A9BEC74B75CD9744F9EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684777Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:05.656{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=602E448B474DD724A7FBDB1F3E660437,SHA256=3C987814A74C203707AC72EF68A6E8C7EB3FECCE842B63E306932E997AA9589E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684776Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:05.641{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5801B9441F8BCD58D08ED47BDDF87A6C,SHA256=9EFDB681ED5DEC24B01F82FB8D02553FD65A502AA58CE90172E4588473781C38,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684775Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:01.099{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65106-false10.0.1.12-8089- 23542300x8000000000000000684779Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:06.794{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C93CAAFCD85E70A7F7245FB6F896108A,SHA256=8491533B8C7D10AE012A711C3E054988EEFE5B02185669B353AF872EA4F0C513,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684778Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:06.684{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D83CE252AD3A87C871C173027429B92,SHA256=6D9F8C62BE200E9BC96A359DF9FB11027E82C5808825654F94C6620BFB6A08CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624318Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:06.745{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=685375995F71E6BFCE94F12D08CAFED2,SHA256=ECEB749A6EE2CC05E33DF00AE6AE21CAE194EF3919B8279078590267966731EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624319Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:07.745{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=745A06696E10E47D0187C7479D9D7640,SHA256=B0458D2ABA752EF2B816BE15DF280805F11D7601C1316096E5A5F59B0A203714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684782Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:07.703{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAF9F1FCFBC59F089B26CC2023841958,SHA256=732E0C0193FBC787BD8F43FD0C6F2C662976772AF616B0B5D0FB8AC77E776704,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684781Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:03.179{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local65107-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000684780Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:03.179{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local65107-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000624320Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:08.745{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D96A5BAA83EA5F3F74F1EC896354BEF7,SHA256=9FD31FB54734F5D3535CD39BF34AADCF77F04A387C0F4D21E6923585BD6D3C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684785Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:08.734{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9FE2EDFD7DA0507CAE0B97DCADBDB40,SHA256=0919864007BB3C32C968976B2A8127DCA829CB2D77FC1DA3349EA3EFE7479662,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684784Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:03.519{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65108-false10.0.1.12-8000- 23542300x8000000000000000684783Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:08.078{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65466E14D066CDFD9F0475C78A06337E,SHA256=DA21142B3F9F077ABBC04297254D28FBDE2C623A780A23961F4207BC97DC5D88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684787Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:09.750{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D8A0D6C0AD6D7BB7D7502B6CB5FFA55,SHA256=9B1759FF58EEEA2715DD2C299784FFCB7C4279F0F020C1FA6DE6A8A6AD0A33FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624324Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:06.937{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51644-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624323Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:09.761{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F5AFCA3651DDD70D3220EEDB31FDD36,SHA256=278BF923A13682ACD281E8BB5696425D8671B3DFF447756CA68452D429F0246B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624322Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:09.089{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A922462F46AE4D522CE8E418D49C3ECC,SHA256=92E973E9F52E0BD49833838BC1F5EF0E7F3DE7D5767B0638068698B3570C46C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624321Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:09.089{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBDE55138667813B6A1FBD072D3B7144,SHA256=2948AC110D4351E17A416213BDC02505F617DCDD647CFB0213C77BC1D48C040A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684786Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:09.187{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BD1E9C8CEF2EC05E5FC21B1C40F5D7D,SHA256=512643044926BD28A54C42A17115B09DA4386ADDDF319A8B430EE73E444AF3C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684789Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:10.750{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16F9EB3952671989B0F437BFDD537B33,SHA256=DC8CB9A30FA46740152EA54A033A444CF3A69A5F5F35BDCE7FB603A46F5C36CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624325Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:10.792{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B553C3E74A17E11EFE039AB5E5CCCD12,SHA256=347F05E0C1F2077ADE2BD9D273093F96D35036AF5AB053F9FC5A2D0427FD9C89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684788Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:10.437{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97673DCDA6E32F48604A2CE33DC98E04,SHA256=5ECB7C3440F1DA6D6798CE2C97E176F572EFCC255AE11E6140E0957B34EF3F54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684791Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:11.922{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C01F560794A6B7B50B191DA0B7D26FDC,SHA256=00052BD1853C5695211FE4F4655C422C7A3FEC6542CCAB8F3C701F6D0D10AD0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684790Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:11.812{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99D4604D136949665340688B741031D2,SHA256=0943CFF8326C453E7FDA4A568F3F3EA1713F349CA9AC4848308A8A5971A539E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624326Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:11.807{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=988B0DFC63D77213CD58E53A301CD67F,SHA256=60040FE0217B6A3C0D440005117C4537151116EBE8CB176E6652DDDE89BF7ADB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624327Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:12.823{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E210E86579CFF62AF73B770C5F67885,SHA256=C20848FC47AADD4B48525CDAD0DB0FC1066EC4E3A3BC67C7BA6658DE7749A1A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684792Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:12.828{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5BBCD540DF77A2E2E05C016AB7241A,SHA256=818C7478CCEE072C38A99464AF802A82C770867F3FD710DFF7582957501BAEF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624328Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:13.823{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C09D844C8D5E7EB420F95649D230538,SHA256=F0674CEEDEFF08CF1A4C6EE1C752894397842DEB8958C074CD7CCE82BF01F9F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684812Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:09.538{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65109-false10.0.1.12-8000- 10341000x8000000000000000684811Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:13.890{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-01F1-60B9-C752-00000000C401}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684810Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:13.890{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684809Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:13.890{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684808Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:13.890{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684807Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:13.890{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684806Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:13.890{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-01F1-60B9-C752-00000000C401}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684805Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:13.890{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-01F1-60B9-C752-00000000C401}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000684804Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:13.876{D419E45B-01F1-60B9-C752-00000000C401}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000684803Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:13.844{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B765A467A56663BCC6368C6BAA4BF1,SHA256=9B2B11C79D892915EB97CB53DA3AD26856F4F4FD6D0FAE8445ADCAAD63778DF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684802Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:13.484{D419E45B-01F1-60B9-C652-00000000C401}62367016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000684801Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:13.235{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3716F7D39395481394A8D9F3E52B1EA2,SHA256=9954A7C8D7902DC31141634FE81CEE5D17F37377591F08E7BB1B5AE42192018D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684800Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:13.203{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-01F1-60B9-C652-00000000C401}6236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684799Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:13.203{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684798Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:13.203{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684797Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:13.203{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684796Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:13.203{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684795Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:13.203{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-01F1-60B9-C652-00000000C401}6236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684794Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:13.203{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-01F1-60B9-C652-00000000C401}6236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000684793Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:13.188{D419E45B-01F1-60B9-C652-00000000C401}6236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000684823Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:14.844{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E41786F17E11DA35F2826C6CCB04CDCF,SHA256=D95A94339264887FD08BE17D09435F618B5E868329ECB7BAC7E1ACFC6770CA2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624329Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:14.854{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F97331E0E6993674AE82721061D9094C,SHA256=12DBF136FAB55821E31056D84C3ADDB1A567A4A5D9952695920F58736B45F9B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684822Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:14.531{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-01F2-60B9-C852-00000000C401}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684821Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:14.516{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684820Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:14.516{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684819Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:14.516{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684818Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:14.516{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684817Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:14.516{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-01F2-60B9-C852-00000000C401}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684816Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:14.516{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-01F2-60B9-C852-00000000C401}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000684815Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:14.518{D419E45B-01F2-60B9-C852-00000000C401}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000684814Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:14.281{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EA2D8C0297B337284B56E78BB8EBCC8,SHA256=007A96D2D2A2BDFE69589AA9098F3FA9208B93D191EC8A415147AC388FAA20C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684813Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:14.094{D419E45B-01F1-60B9-C752-00000000C401}54641992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684841Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:15.937{D419E45B-01F3-60B9-CA52-00000000C401}53285588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000624332Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:15.885{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38B6996789EE2A0785A6197235465DE4,SHA256=0948D607AC299AB3B586643E84E8FA93C1538C72F9646163FB616BD16A2FEB05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684840Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:15.765{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-01F3-60B9-CA52-00000000C401}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684839Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:15.765{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684838Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:15.765{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684837Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:15.765{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-01F3-60B9-CA52-00000000C401}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684836Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:15.765{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684835Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:15.765{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684834Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:15.765{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-01F3-60B9-CA52-00000000C401}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000684833Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:15.766{D419E45B-01F3-60B9-CA52-00000000C401}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000684832Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:15.359{D419E45B-01F3-60B9-C952-00000000C401}61725456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684831Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:15.187{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-01F3-60B9-C952-00000000C401}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684830Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:15.187{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684829Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:15.187{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684828Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:15.187{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684827Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:15.187{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684826Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:15.187{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-01F3-60B9-C952-00000000C401}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684825Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:15.187{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-01F3-60B9-C952-00000000C401}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000684824Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:15.188{D419E45B-01F3-60B9-C952-00000000C401}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000624331Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:15.229{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87B14D2E4E4787B85B935BD6813A5943,SHA256=179A466C6BC2DFF94F91ED7D26D1E7722E22B3F74B66470BC8B69787D8E113B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624330Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:15.229{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A922462F46AE4D522CE8E418D49C3ECC,SHA256=92E973E9F52E0BD49833838BC1F5EF0E7F3DE7D5767B0638068698B3570C46C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624334Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:16.885{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31FAEE03F82399E379E6761FBBECAB96,SHA256=E6DA3FFCDF4BF7C68FC2509FC25C30AA5AE445239C9F9E20B5B2F68B5D9A52E3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000684861Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:23:16.687{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000684860Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:23:16.687{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x09f5f06c) 13241300x8000000000000000684859Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:23:16.687{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7588c-0x60011686) 13241300x8000000000000000684858Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:23:16.687{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d75894-0xc1c57e86) 13241300x8000000000000000684857Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:23:16.687{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7589d-0x2389e686) 13241300x8000000000000000684856Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:23:16.687{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000684855Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:23:16.687{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x09f5f06c) 13241300x8000000000000000684854Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:23:16.687{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7588c-0x60011686) 13241300x8000000000000000684853Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:23:16.687{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d75894-0xc1c57e86) 13241300x8000000000000000684852Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:23:16.687{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7589d-0x2389e686) 10341000x8000000000000000684851Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:16.453{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-01F4-60B9-CB52-00000000C401}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684850Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:16.437{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684849Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:16.437{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684848Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:16.437{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684847Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:16.437{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684846Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:16.437{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-01F4-60B9-CB52-00000000C401}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684845Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:16.437{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-01F4-60B9-CB52-00000000C401}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000684844Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:16.438{D419E45B-01F4-60B9-CB52-00000000C401}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000684843Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:16.062{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C924BCFB1F1A53043273FEA59AB8A6F,SHA256=D5F074245DEC069066B71E7462484FB499078DC00738793E8C0CA3F0D3556D5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684842Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:16.062{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EAFB0FBBF4019C45EC9523F16FE679FD,SHA256=0A82BE0FF068DBDE918C5760674A28F7944127172FEF3C3A2D87FCAE763C7E5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624333Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:12.949{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51645-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624335Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:17.885{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85FCA36AA2F3E06FA661D04729F78094,SHA256=D0EFBF4ABCDE461004685B91FF59443B03A4D62C408664D68ABC0109753C79A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684871Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:17.203{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87DB503E2625089692E1B52470226F45,SHA256=11A5093E8F85CA640B5988D57F5F619B1F7027EAD5E08D5CFA37E4367F4BC4E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684870Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:17.203{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33CDD8C45A6A79B62AAA96A3366D36A6,SHA256=D2CF37C94465BDA3615E688106B13D7467B31272DEFE10441CD0F38EBF682375,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684869Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:17.109{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-01F5-60B9-CC52-00000000C401}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684868Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:17.109{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684867Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:17.109{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684866Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:17.109{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684865Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:17.109{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684864Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:17.109{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-01F5-60B9-CC52-00000000C401}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684863Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:17.109{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-01F5-60B9-CC52-00000000C401}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000684862Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:17.110{D419E45B-01F5-60B9-CC52-00000000C401}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000624336Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:18.948{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=183007283F3FBE26520F9DDEB247D232,SHA256=03BFDF6D46FE1FF7EA68BF4CEF53D57ED179BACF70375E9AC0038EA418A990C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684874Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:14.553{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65110-false10.0.1.12-8000- 23542300x8000000000000000684873Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:18.344{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7437F3154C6FF2DFD57844282C897312,SHA256=C53432C8DFA4F082290B17E5F6F6A40792C135C9E536E7E371C502B90C17A66F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684872Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:18.344{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC0F863EE37ACA50D792FFFA6A0CEC2C,SHA256=EA4F62061E99EA7D4F2546C0E56F92EB0AE94A9BEB47639E8BA4B9DD0469D243,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624337Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:19.948{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA6A6D1A2310C5C28F55F432C6F60E85,SHA256=CA0C85AC6C41400E0165B79238B9C47CFB351CFF018F373D6E4F937C511F4EC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684876Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:19.484{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CAFBBBF30C304C9F9A600B29CF15388,SHA256=B7361F74ECF3D2B201757678A44D4ED898DD3DB746FE2A669765104C5874F02E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684875Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:19.377{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B59FF380F437BF31DF91EF5C8A76200,SHA256=E009E6BE84F668FE664EA82AAB45F1FC8A2AA62FD95A8FD22F606AC7B3DDFC48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624338Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:20.948{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5885D510DFB6FF205DEDF9AA928E8B28,SHA256=A54C5E4E6D6063BDC337CD8C3ED658841146D1661032343428004F2B22E85ADD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684878Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:20.515{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67978CB24E8C981CAF2BE15C16086A98,SHA256=0089E4CE2E0889356B3DAD591E74662CE479712D255F610F0820EA44CD61752E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684877Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:20.453{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C66B1D4588080EEC6B999D675E765A3A,SHA256=FC3E289EBEB7F924E2DCEFCC268237A80085D4FD4A02DD55543DE460A2D154AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624342Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:21.948{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E990F4513DD9A3719A1EC1109B3D5E7,SHA256=A434AD718E364146EE9970A6E6F0D933694FB632562F502BA3004CD31977A7FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684880Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:21.656{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2EF25C08C4291CB623E3C77978E68F3,SHA256=85C410EB268F16EC66311EA52FDB98F4DFD2389DC644003DBD8BDE1BB4EAB3A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684879Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:21.453{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED7053492CCB5FA56E46B0BE49791720,SHA256=2A0C0913DDAEE9B5B5D901E249B19A4DCA88AFAB5CF2871F61776DD47B7CD054,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624341Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:18.933{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51646-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624340Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:21.089{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55A9C5BC8424D90A213D2DC37B6E059D,SHA256=D4732F3344FFCE65E06C20512DD630E0F1145913A18512F20553F95737481EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624339Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:21.089{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87B14D2E4E4787B85B935BD6813A5943,SHA256=179A466C6BC2DFF94F91ED7D26D1E7722E22B3F74B66470BC8B69787D8E113B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624343Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:22.962{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=178CEEE4CFFA1A14844BC4B4EB73F8CA,SHA256=200A34B9789524349D92F75E9FA67C15B56F407A932F0F76C0AA6F4D9E66FC99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684882Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:22.763{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6296F330CCECBE8693234F2D010881FC,SHA256=40E370023C6F63379611679079CFAB1EC4F225C9C031312F4099A1B485D879C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684881Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:22.481{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D142146E1F5D5EF667D5E0E88D386F6,SHA256=D2FC42B221E0E077E80FFBEEC811AB3C77827D7A3294F422F8E2529427E12BF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624344Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:23.962{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=883014C3BE8C0B929B822CC93978F2CC,SHA256=BB25CE4195B9CB248A105C2D77F700EA9DD6684FDF791AF6E1ACFA6FE1A602AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684884Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:23.919{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AA1A18A065B0A2F31F5507DE72BCCFC,SHA256=C87F82928D8BB1FED409525A3445FD49B4474F7199FF1F83C7FE849E754EEB0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684883Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:23.497{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DDEBECFAA15EBE8BC3F62130D2A6591,SHA256=D9A6F30C4D9AB0A27766101BCD3791723CF3614F52CAF853A7A1B06546986762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624345Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:24.978{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D9845EDEBAD4BB42ADB5D3FF1B918D4,SHA256=9D95B5F7FB5C9F52CBCED7AFD0659925962632F0054182A364136C002B933872,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684885Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:24.513{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE16443F9D963CE3B0C91DE24204F009,SHA256=06497349585312EB66619C9D153FB319C5711CF1BCBABC84544B83EE3BA9281C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624346Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:25.978{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=573D3E10E49BAF7CCC4ABB42A7D5B265,SHA256=4F9DA33CE831560CAA78C48E2C30E7258501C11C3E1F58DF257F0BFE9A50A6BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684888Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:25.528{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C06D39967CAD8B1CF13A443BE47616B1,SHA256=C7B532DE9111E7FC66E898274CF91560A8D86783AA8FCA463FC22C6F857017BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684887Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:25.169{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D69F6C3C380756AAABB2CC6E7F71E54,SHA256=2F6D9A4A6F1033E5CE77BDC81A4417FF45BF85E8E67FEBF2FD2B582A761EA413,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684886Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:20.472{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65111-false10.0.1.12-8000- 23542300x8000000000000000624347Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:26.993{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A309C4C99608FE8CF8AC39A3CAECFC7,SHA256=AD51A23B243F5AD90E934C9E27F7442B5E979F094ABB7F95CB098BDA5CC407EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684890Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:26.700{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4E02D9C869C422148D0308089DA743F,SHA256=26DC5BB9B08D454876D06EDC645911583673BD8897B9ED184B332BC1EEAB308B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684889Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:26.434{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=686AFFAB1820F6BF6205440AF6F0CE46,SHA256=3889DE05C548CF6FF3A59C77304D313474E771E949C70B98F2E5F3B9E0662B3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624351Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:27.993{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76417920FB5C567C860EDC78F85351EC,SHA256=C60BB76A16430D7DE61C1378283B19A5AD06382987FA57A2777001F036906BDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684892Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:27.841{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75B2DD5CE4A57D9E503FD1362712948C,SHA256=E8F3CDC3AABDD6399810484615B8D197286CAB1D9DD069E20B2245C1EC260EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684891Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:27.716{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DF273324481D7ABEC8B1476E658CD50,SHA256=0040016DF23A478573546B2C91BD435D0FDAF7E7072FEB14E1C817A4C49507B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624350Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:24.947{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51647-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624349Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:27.118{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10A62DA7661E4923252583C4C7FE318F,SHA256=A81E169B093724ADC8EC572EF202DEE430739D7AE4A8DB827C733927DC7A84F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624348Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:27.118{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55A9C5BC8424D90A213D2DC37B6E059D,SHA256=D4732F3344FFCE65E06C20512DD630E0F1145913A18512F20553F95737481EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624352Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:28.993{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B4B35DA0E1159160DA301DC9C8BD1E0,SHA256=1100D47318363FBC9F321F7F25D13DFB3CFF25EAEA26C1A3742E322E2284C2FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684894Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:28.904{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=221C1CB6B15B1CB0D0BD51E50F45E8F0,SHA256=16FA231C70D70C3D2937B521773A27351C68E6398EFDD5CDCFAD6385C1CBBC41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684893Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:28.716{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19167E81284CA37843A32C4EA8846A3F,SHA256=ACC0B76A617E18EAEBDE86F7E1EE0C8E8FBB5A908EBF387B9BE6BFF32A2D3CA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684895Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:29.717{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=024F41ECA3B8E5CED312890E1184412A,SHA256=4213A2B5D6F1F28B7C1217DEAE3C90A4F6C4E8ECFC9257C8B9ECA84041EFDBB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000624379Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:29.478{97C2ED32-772F-60B6-0B00-00000000C501}628676C:\Windows\system32\lsass.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624378Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:29.478{97C2ED32-772F-60B6-0B00-00000000C501}628676C:\Windows\system32\lsass.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624377Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:29.462{97C2ED32-7730-60B6-1600-00000000C501}12044108C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624376Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:29.462{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624375Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:29.446{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624374Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:29.446{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000624373Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:29.431{97C2ED32-0201-60B9-2B5D-00000000C501}4364C:\Windows\System32\Configure-SMRemoting.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000624372Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:29.431{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624371Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:29.431{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624370Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:29.431{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624369Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:29.415{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-0201-60B9-2B5D-00000000C501}4364C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624368Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:29.415{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-0201-60B9-2B5D-00000000C501}4364C:\Windows\system32\Configure-SMRemoting.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624367Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:29.415{97C2ED32-7730-60B6-1600-00000000C501}12042556C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2B5D-00000000C501}4364C:\Windows\system32\Configure-SMRemoting.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624366Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:29.415{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2B5D-00000000C501}4364C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x8000000000000000624365Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:29.415{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\System32\svchost.exeC:\Windows\System32\NetSetupSvc.dll10.0.14393.3503 (rs1_release.200131-0410)Network Setup ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationNETSETUPSVC.DLLMD5=4B455FA2A15BE4C278D0D655A7EA9543,SHA256=1C04ABE14400CC4175704B08D008454820BBF14BFECE1934A82756A6037E681B,IMPHASH=14F8BB5E943EA23F79CC3EC6B8C493FBtrueMicrosoft WindowsValid 10341000x8000000000000000624364Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:29.400{97C2ED32-7730-60B6-1600-00000000C501}12042556C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2C5D-00000000C501}4452C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624363Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:29.400{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2C5D-00000000C501}4452C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624362Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:29.400{97C2ED32-0201-60B9-2C5D-00000000C501}44522880C:\Windows\system32\conhost.exe{97C2ED32-0201-60B9-2B5D-00000000C501}4364C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624361Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:29.384{97C2ED32-9094-60B6-BC06-00000000C501}9441004C:\Windows\system32\csrss.exe{97C2ED32-0201-60B9-2C5D-00000000C501}4452C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624360Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:29.384{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624359Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:29.384{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624358Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:29.384{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624357Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:29.384{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624356Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:29.384{97C2ED32-9094-60B6-BC06-00000000C501}9443580C:\Windows\system32\csrss.exe{97C2ED32-0201-60B9-2B5D-00000000C501}4364C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624355Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:29.384{97C2ED32-9D3E-60B6-7A08-00000000C501}33644936C:\Windows\system32\ServerManager.exe{97C2ED32-0201-60B9-2B5D-00000000C501}4364C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1459ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1454f0|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+fa3761|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58dd95|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+559c06|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+558e46|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+70e8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+c11a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+7ce0 154100x8000000000000000624354Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:29.380{97C2ED32-0201-60B9-2B5D-00000000C501}4364C:\Windows\System32\Configure-SMRemoting.exe10.0.14393.0 (rs1_release.160715-1616)Configure-SMRemotingMicrosoft® Windows® Operating SystemMicrosoft CorporationConfigure-SMRemoting.EXE"Configure-SMRemoting.exe" -GETC:\Windows\system32\WIN-HOST-236\Administrator{97C2ED32-9095-60B6-4298-3A0000000000}0x3a98422HighMD5=59EF03A3CE316E02EC6C916E86715282,SHA256=E26FE2AD8452293B4B1E957B21371693996941A4D3D2371E7E51A35892C59418,IMPHASH=C13E4B07CF35D56AB40B9BAC4947EC02{97C2ED32-9D3E-60B6-7A08-00000000C501}3364C:\Windows\System32\ServerManager.exe"C:\Windows\system32\ServerManager.exe" 23542300x8000000000000000624353Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:29.337{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=E374D5274CBB1B3A2C4DC805565E5928,SHA256=ED076CA7FF46575681F7EE6E033FA31961882245D217B4C87A96F132D6694DCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624395Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:30.603{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10A62DA7661E4923252583C4C7FE318F,SHA256=A81E169B093724ADC8EC572EF202DEE430739D7AE4A8DB827C733927DC7A84F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000624394Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:30.587{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624393Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:30.587{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624392Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:30.587{97C2ED32-772F-60B6-0B00-00000000C501}628676C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624391Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:30.571{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624390Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:30.571{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624389Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:30.571{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624388Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:30.571{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624387Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:30.571{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624386Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:30.571{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624385Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:30.571{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624384Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:30.571{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624383Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:30.571{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000624382Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:30.384{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E1D63AF4A1A2B1A8E4DA124D3628D79C,SHA256=9A1F10B12A93EE014481C0304D458A49E205EEC4AD817D0AA08BAC9A2B684F4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624381Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:30.384{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=AB50863FA3766042F69818C5BEFBEF4C,SHA256=1B6A777C779C89348E6D9B2C199A2E961B8335BED230854F4748C5F420DE78BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624380Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:30.321{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=054810E6AF530BD005A047FBA409DF9B,SHA256=97A468D1E3100DCABC4582C37B4C745E693684EE9DC0ADCD255A7A7360AEB372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684898Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:30.733{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDE91220A3C5AFAB887E37B51F24DEF2,SHA256=6A9C36EEED0C8EADCDB2865A8F80A0DB24062AD5D06CBB769E2C1778BC4A1EB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684897Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:25.628{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65112-false10.0.1.12-8000- 23542300x8000000000000000684896Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:30.061{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=345DCEDF146EBD4FE601701707F5394C,SHA256=C16771823DA6EB9D7CDF9B5E4F96DB3FB2F6D9339827C5087D06981E2B31F995,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684900Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:31.779{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEEAEF8118A7CF03DB89EA5F9C45D90D,SHA256=7FECE946E2EAFB64BDEA22BD6ABFD05014554CAF4CD2E28DFA25F4BE5AA29E15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624398Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:31.556{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FE98D5326A53B471B982546ED28E62C,SHA256=717ED681C23C4998C7EA947D466F83CFC07DC4560130CDF951C14656887C78C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624397Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:28.297{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local51648-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 354300x8000000000000000624396Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:28.296{97C2ED32-0201-60B9-2B5D-00000000C501}4364<unknown process>WIN-HOST-236\Administratortcptruetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local51648-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 23542300x8000000000000000684899Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:31.201{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82A51F6F94991204939D88B1558DDCA5,SHA256=CBF42D06F64279F522B727686B45D34BF02AF34241432B1ED69A720D79F95A18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684903Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:32.858{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97CDB17FE3A10298BA4340B5A2E7C941,SHA256=41517C6FBE279DD62267C4EB52B50BEDC95F4AD9D308B961F16A9188C7BF88DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624401Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:32.587{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC16FBD43CDEB3B844229B5B1A98E179,SHA256=4D08CD7FEBBF1EF47BFA0FF956B012CBB94A2A2F8EB65A2B09716952F27CA142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684902Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:32.764{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F61E85B9052AAF21E93AD04902A5260C,SHA256=C130D797433212B98630C3634114406194661632CE1FE16ECFCA6DDBAAEBB9B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684901Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:32.483{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFD386E13611F93DD7B90EA82F87F375,SHA256=C7BD62FCCB2686C22952ABBFF7E41948178D32E30570D9E20E950F251D41A0A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624400Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:29.963{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51649-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624399Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:32.103{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02E8C42CE201CE074D1D020A3D35C5D3,SHA256=942DF188718F263AF2E1B0176B050F1B2518884137BF0970CD3FF6E1A8CCF958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684905Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:33.873{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C07BEE4C7DF870DD55817F665E3BA13,SHA256=9C0476AFBB8AD3E3BB298D2F88CDD92A35C6BD1F281A49BF49832B54FDB1530E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624402Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:33.587{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DB66A5A1A166BB11118BCD820C62AF3,SHA256=7590C323CCA05A17C0186EED4ED2864BAF56D2525D10FF490B99EE0B57E2F210,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684904Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:33.529{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E689928AFB5903E883C2145B3D2E552,SHA256=B53E7EDD90F0341B023B435809DA6720B02FC5C8631EADD51135BBE66E06F646,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684906Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:34.889{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5F149B0694BF6CE2EE651E493DED13F,SHA256=189D6BF73D1B00EC2212B4A3E5307050CE3C440EEC93A74F8D95CC307D87D33B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624403Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:34.618{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B96B070F103664A94067A60E3C24475,SHA256=7F65FEEE0195A327DC1E43F219C3AE027FDF63BC3A1BC4856AD9A32C899F595D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684909Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:35.904{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC1077AB7AEAB62E198F5CF0F4C0EC5B,SHA256=2CF2D839B07A42A361156376769B4B07CF175F99071153E31546FF81E1538FA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624404Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:35.649{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E55A8EC9FF6E76E4698604C0E056CEA,SHA256=5DB16B2CAC77DCC58BEF41032AB35C05F2739B6831C61F7967CED0EA8AF87923,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684908Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:31.504{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65113-false10.0.1.12-8000- 23542300x8000000000000000684907Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:35.108{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C68CE0BB7E8FF61E6D1761C97E8D49F,SHA256=7248C26B68063B9FD6667491DE1B7E82BA0CD5F5FBCFA7FDA28AF381C0F24502,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684911Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:36.920{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59D225ABBF18DBEA3F79C81C19A46876,SHA256=F6EF0D89AD43800ECC54665824A02FD7B05FE1863BD14E188D62554D35DF9AE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624405Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:36.665{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=585FF7CF69F8628577BA6C3C026BB0CE,SHA256=0C0011506A1DD1A37826F33E2FFDE81E877ECC0E6623E4A5AA28BD935E16698D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684910Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:36.233{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E9D5D2B35506D77834DC53D9D96ACBE0,SHA256=13C9228BB4F2EAD3AD809527AD675E3EBED3A171C8F651DB08B4B1ACD209F16C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684913Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:37.936{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89264DD67772A4F7543D26002FDEF23E,SHA256=3FD84A03AEDC79A6930511748B21699CDDB464141B5B01D4B343800B8E47CA50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624406Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:37.681{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FF86C6365B1E1FE81256AC35C016BD5,SHA256=96785DE09225A1DA13B4D817D7593AD3A727A399458FF6C9EDED259861861AC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684912Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:37.342{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFDC6F6DEAC8CEB6A7C069491E8A3925,SHA256=BE92079995B1035B8F8BFFC3305F55C41B7F6A2D04578682E6C4CE4963622CB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684915Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:38.951{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A117CD0DCCAF54BADA82271969CE243,SHA256=9FC97C2C012968401A956436709B9D764E30C1853C35BF9516633C91B8A327E5,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000624411Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 16:23:38.728{97C2ED32-772F-60B6-1100-00000000C501}984C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d75894-0xcf507e39) 23542300x8000000000000000624410Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:38.712{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E939CE93544EF9AC297A57E27012B3F,SHA256=C3FA5B7616AAF3DCEFE78FF51A0CCE4B132BB9DC7C71111665BC6B7EED693764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684914Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:38.592{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=510CB89135BC48E31BE4C970C5141002,SHA256=AF903826C4E982522CDBA713DB45B38CB36E0807960542D4C3E09448606780AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624409Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:35.916{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51650-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624408Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:38.165{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B3E413F368F634C86320633430D1B25,SHA256=5AA9A8D6A0D3A11179D508AB07E823D2347E09B500CB28AF41F77B263D50C306,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624407Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:38.165{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4576A7C4CACDEDE120859C9A372BDAD,SHA256=CE03FBD15EB7ADB4470B2EA71B28B0BCFE2FCF0237590619E3D130524E715B53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684917Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:39.967{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0475935E9CFEBCD108EFC408278FF4EC,SHA256=CFDA5863309C9F8923179DCA42A63E07E747B8E9CD4CAEACB65C4A60A661EB48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624412Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:39.729{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C202A5C64657B87834EE25B849F44FD,SHA256=4D2E45FD210643EE0A87CEA270CCB5C7EF5CDB79623DCA573C6FD707EBDBD98B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684916Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:39.858{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6710C8AE6937F2D1966812F8DF237C05,SHA256=D2E68B82266499BC852882E4B39F1D1C9404E6B6B041A9F530C80A4EFBB38E8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624413Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:40.776{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3074C0BE39329DA5FC81570C4074C6D,SHA256=66F4516368F7D2D6395E6A6F50D0987F084FE4D9E4E0D9F61E9D8D420FB30FBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624414Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:41.776{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=907B6F79682133CD567D63DF65ACF10B,SHA256=93C66F6FC33E13EE0A9CE774BA187B0CA6BF76EEFE16A6A6D9E1465C70A22A45,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684920Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:37.489{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65114-false10.0.1.12-8000- 23542300x8000000000000000684919Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:41.108{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4B3028952E7AB243220ED6CC4A0DAB4,SHA256=19890D2D592DC4BD91A42E6DEF733EDC178CE66EA2BE971686E139C959C93295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684918Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:40.998{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9AC888C3DE6774A807A07F88A7C8217,SHA256=2EABC85500069D1D3215CA1585229B25C375E1755D64FA67ABA0B6FE9F308CD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624415Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:42.790{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82F3A83D570D9CF12FDC29C380A06487,SHA256=6C4E66C43B1E14BF7F617E95E7089D65760516DE9DBC71C3A282FC3723049D15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684922Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:42.262{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E24DE3FEA67276EB9DBEBF0B8AA3123,SHA256=F55150445A394DCB9BA972E8D40E9EEFAAD8E20A586BCE781E2303129718DFA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684921Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:42.014{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34FDBC72896152F5F1BBADADC0AC5CFE,SHA256=99AF802D38609170F04730026E3977323C127AD863339DCAD7DB0A3A4F31660D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624418Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:43.806{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19FCF740C2E0E286EF45E8F9F1C6F72F,SHA256=1FBCCFC34A55534D8EBAEA15453515A5325F4AEF489C5E48AED2090A26E94A00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684924Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:43.496{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AB57F6EEB8FB755E55CAA9801FB5FF5,SHA256=A37BB7E08219F541A3967D6172D83305DE62DF47770A81EBC35C55A75D98C557,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684923Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:43.027{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=145DD498A875CA18F930FF729DB5B176,SHA256=1BF6AACEAA45282D6EB6262F0D3E7649B5BEEA490F3F3AB29763A0290C7B1D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624417Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:43.228{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E28B9BF9B1628D201B4A6835CE659A0,SHA256=794147E36AA4EADC242802F4D3F4127690BC406112C470EF85837C04CFF4D7F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624416Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:43.228{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B3E413F368F634C86320633430D1B25,SHA256=5AA9A8D6A0D3A11179D508AB07E823D2347E09B500CB28AF41F77B263D50C306,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624420Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:44.806{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39DCAEA712CBF67F52BC3DBF5095D4AB,SHA256=1CE7250C3B9DABCCA3F7CBB17C9391DA58881D3D2359342B572A70F336276924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684926Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:44.558{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FCE6DF45A99D7BEFEB716D87E8034ACE,SHA256=4447CC5EFE748370F624E893D436480DB9491EECEF22738A90113CA9E37B865E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684925Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:44.058{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E073407634E593565D8295A4B5C9BB5,SHA256=EE99EEB864006D52F24B8174CE22A2CFC553E1156F45DE2748DA68387DEB8140,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624419Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:41.040{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51651-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624421Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:45.822{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4041CB26DD47A0614AA3EDCA7B5DB34A,SHA256=0A10A160ED19CA808E69ADD453AF772DCB847A0D800505847DE940C115BBC591,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684928Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:45.840{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0800B6BF1B59FA51B651C887A79C2C6F,SHA256=B96A19AA74011EDEAC62F20638AEA2B9F8A6CCE788C45F4AFDD0DCE0D4AFDC4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684927Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:45.105{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD0933D8D267DDFFDCC502390B2DDE98,SHA256=596A781CF4051461B26F4A8646D89CF5D9C8B9D4F6CFE6C6774789146C6C423A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624422Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:46.837{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F243C530D0339C2F1CFD960D54B7FF8,SHA256=4B4F50BD13198C36E6F4E423473C41889D5D729DBC1598E75898CDE0C5197D9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684932Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:46.855{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1500-00000000C401}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684931Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:46.855{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1500-00000000C401}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684930Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:46.855{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1500-00000000C401}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000684929Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:46.293{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E279FC50288713B3909C619519CAE3F4,SHA256=C182892A0C27D0191A49F41BB5C3D82FAC20F4B01FF88ABBEA22F59BDAB85C3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000624432Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:47.915{97C2ED32-0213-60B9-2E5D-00000000C501}50085796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000624431Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:47.853{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5829F0500DBEA058E3243AD1E7B9CF50,SHA256=809AD11A497437D183D7A844E6B16E2B2D5D2003813A73E7358E10F4F706165E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684935Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:43.502{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65115-false10.0.1.12-8000- 23542300x8000000000000000684934Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:47.309{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74B933910227C6A1F63CF5B7823CC6D8,SHA256=9DB01E3ECB692435F23AC50AE46AC538D1F84DBBD8D3E885B30EB75A69F6D7E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000624430Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:47.790{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-F211-60B8-F95A-00000000C501}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624429Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:47.790{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624428Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:47.790{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624427Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:47.790{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624426Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:47.790{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624425Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:47.790{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-F211-60B8-F95A-00000000C501}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624424Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:47.790{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-F211-60B8-F95A-00000000C501}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000624423Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:47.791{97C2ED32-0213-60B9-2E5D-00000000C501}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000684933Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:47.105{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99259506BFBD365F242988800935DECF,SHA256=4F70FD398A5C9E7F4D03811C0292E990DC9DA4A82B2DDD6228B5BB8B0D656325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624447Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:48.869{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=424649893AE6542A80FBE6A2D44FA382,SHA256=6266DB0548D231F1B80E501E4F82CED6C90E879B767EC7ED31D29B7C036D9D28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684937Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:48.449{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D873670DFE412124D0C76EA5C944FEB,SHA256=B6EA3DA729974B75395E20B3172BFE6C10FB3DEDDB6F17EA9A2895BFD88B2DB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684936Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:48.340{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32F2D332FEC83A5922C93395C28F985A,SHA256=365B79E7EC20CBC826310B409958E7F854E723E6BEB85CA86CF365FBB8E61BB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624446Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:48.822{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E706BB34EE5DA6294A13278CAC9A3E0C,SHA256=4F6E0BB307781C27AF615E748C6B06FD9797832E5FC4D0F130263B3E49546E43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624445Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:48.822{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E28B9BF9B1628D201B4A6835CE659A0,SHA256=794147E36AA4EADC242802F4D3F4127690BC406112C470EF85837C04CFF4D7F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000624444Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:48.587{97C2ED32-0214-60B9-2F5D-00000000C501}46805400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624443Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:48.525{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1500-00000000C501}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624442Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:48.525{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1500-00000000C501}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624441Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:48.525{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1500-00000000C501}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624440Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:48.462{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0214-60B9-2F5D-00000000C501}4680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624439Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:48.462{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624438Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:48.462{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624437Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:48.462{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624436Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:48.462{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624435Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:48.462{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-0214-60B9-2F5D-00000000C501}4680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624434Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:48.462{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0214-60B9-2F5D-00000000C501}4680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000624433Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:48.463{97C2ED32-0214-60B9-2F5D-00000000C501}4680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000624466Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:49.900{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AE6E3A8B209C2C5EC46C234BBB21EF3,SHA256=BDE586456EC4C3B1B59310481A0B967E6D6509305E0F421C5E916D7E807894F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684939Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:49.652{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1811C5145F06F708779D98CF253A818D,SHA256=5B5384D77917834C4E7583D904CB26247298770E47C4A6445E9E7BBB623ED4CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684938Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:49.371{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0980A572C60753941EFB4B4077DEDBDD,SHA256=0A4651F1B10720BF042B664721BBA776243B510EBBB346F2FB302344F4FAC367,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624465Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:46.946{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51652-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000624464Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:49.806{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0215-60B9-315D-00000000C501}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624463Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:49.806{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-0215-60B9-315D-00000000C501}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624462Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:49.806{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624461Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:49.806{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624460Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:49.806{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624459Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:49.806{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624458Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:49.806{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0215-60B9-315D-00000000C501}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000624457Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:49.807{97C2ED32-0215-60B9-315D-00000000C501}2760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000624456Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:49.259{97C2ED32-0215-60B9-305D-00000000C501}55843452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624455Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:49.134{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0215-60B9-305D-00000000C501}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624454Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:49.134{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624453Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:49.134{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624452Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:49.134{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624451Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:49.134{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624450Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:49.134{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-0215-60B9-305D-00000000C501}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624449Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:49.134{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0215-60B9-305D-00000000C501}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000624448Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:49.135{97C2ED32-0215-60B9-305D-00000000C501}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000624484Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:50.915{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0216-60B9-335D-00000000C501}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624483Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:50.915{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624482Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:50.915{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624481Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:50.915{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624480Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:50.915{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624479Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:50.915{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-0216-60B9-335D-00000000C501}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624478Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:50.915{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0216-60B9-335D-00000000C501}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000624477Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:50.916{97C2ED32-0216-60B9-335D-00000000C501}5840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000624476Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:50.900{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87E804F9106DA79A2EFD180CF1F7B517,SHA256=D27AC31D8A49E6D72083C74CAECDD045C4362179ED6E924DE07BE4A2E8CE4437,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684941Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:50.730{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C650A2926CB36C1895A59B698C0D624,SHA256=78A43576F3F872E29E75917C8B9041FB5E2AECB777BEA94C9C4AFD8B5AAFC456,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684940Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:50.387{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1632D6E0C7BE77205739FB023A757624,SHA256=3DE4CB901E8F2325B6B95AF61CCE08D59F88BCE6C087C765878ACDF64F07157F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000624475Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:50.337{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0216-60B9-325D-00000000C501}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624474Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:50.337{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624473Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:50.337{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624472Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:50.337{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624471Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:50.337{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624470Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:50.337{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-0216-60B9-325D-00000000C501}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624469Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:50.337{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0216-60B9-325D-00000000C501}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000624468Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:50.339{97C2ED32-0216-60B9-325D-00000000C501}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000624467Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:50.197{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E706BB34EE5DA6294A13278CAC9A3E0C,SHA256=4F6E0BB307781C27AF615E748C6B06FD9797832E5FC4D0F130263B3E49546E43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624495Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:51.900{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCBB07440EF4BE78768F865D1C0F46EA,SHA256=D98F3D5CBFB98DB985B76E090A4312605464FA10632E690FA8FF200DF5463433,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684943Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:51.887{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B07E7D5F0CC8CD31CA99047F3EE2A1E,SHA256=F3254813B453A4F3F29449B7C2C0763FB8B14F5E6360C5B714B24E89F7C7A46A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684942Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:51.402{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E427D921DF92196FB6101F31D57ACF,SHA256=EB7811B76401F4161A9CBB046FA8CCB4E183256BB36F7996AB09DC38662DE3CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000624494Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:51.728{97C2ED32-0217-60B9-345D-00000000C501}5041928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624493Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:51.587{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0217-60B9-345D-00000000C501}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624492Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:51.587{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624491Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:51.587{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624490Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:51.587{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624489Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:51.587{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624488Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:51.587{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-0217-60B9-345D-00000000C501}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624487Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:51.587{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0217-60B9-345D-00000000C501}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000624486Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:51.588{97C2ED32-0217-60B9-345D-00000000C501}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000624485Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:51.353{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D84F4ED42EC7D53597CB15F61DAC32C7,SHA256=6651647199B653D7E2A067439E012B52F0C909DAEC89A27DFB5EDA0F3C6901C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624497Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:52.900{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F5B360E810C223AEB0D6ADEAC64F1D8,SHA256=A36E8A9AE7E616DB4872A6A0CF63A200C7F2F04CB6F36F2CD99538480605B242,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684945Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:48.533{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65116-false10.0.1.12-8000- 23542300x8000000000000000684944Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:52.434{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D77682C05EF1658FC11B07F53E2BA6BE,SHA256=0F821D52AECD8DD18B49861BEA3C3DBA90BD89DB9EE748C407542B89D54E463E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624496Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:52.603{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27BF65ECC39DECFBE1D37F52D7BE7514,SHA256=083FC521BA9B666B07B8949435D1D5AAFA181011886489E516D31209A985E250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624498Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:53.915{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74445D89FBD4D729A9CA5229041F8859,SHA256=C396AEB380A30D6448F8F6D75960628AC95350CC24AA0C3212C5C844CE426593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684947Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:53.434{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE88DD728BCF00D987901ED145286C99,SHA256=F448BFC7061BE4C221655EF4B0B42B81328BE867FA80B024F71388DD9FA0DD57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684946Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:53.137{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D2C379022F8574493165887D02D920A,SHA256=ACE6984F5F4A5749228D5DCC3A606877B928349C943D3A98B0F94A520C85D15F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624499Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:54.915{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50BAAC07C1348DB475BC3E798DA2938F,SHA256=D8537A5973445C088D077FE5CF7294DA01218D77310359890A9C3913D8737970,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684949Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:54.637{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A1893F7014B17EC53953BA97258E4D2,SHA256=8F56131116F1CA829BF357ADA788E19087AECBCE72B26041F24369AC814E804D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684948Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:54.449{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=541EA975DAF5D0B1FC155F3C6E20F8F6,SHA256=81A3D906B94A7EDD06D057C47F8841F666BC240730C270629E4A21893684822B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624501Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:55.915{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42FEA0A175A964873DA017B064BD21F6,SHA256=B85E2B5CC8D8DD7B40E82B8C0E958343D7DA6EE35DAFDA273D5CF4F94A2C8DAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684951Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:55.777{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D2275C992EFE58EB0DEBEDFA5EB2E2D,SHA256=87D020359CEDC4173F1F40E72319EBEFED8823E2EBBEA6AFB5E928289BAECB0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684950Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:55.465{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F156DDE937561F00FDBD97F5987930C,SHA256=C61DD66BBFFFA6D62AC22D9BE97259335918A53A10C1AC039DA085D4A1AC6C72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624500Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:55.103{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F13115242E56CC397F258D39432F469E,SHA256=FDBF2503DA02ABE00A3701683DE7F49A535D11330A69CF9E7FB10DA063D24DD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624503Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:56.915{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3903CDC2BD0F89FD540DEA3266D64F00,SHA256=1F4422D7DA98FCF4D7DC6E221BB096B5502FB27C3726DA7022043E0F9321FB36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684953Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:56.918{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93F645DD3A2ADDEA04D9C7D75FF49AD6,SHA256=17AB7861DF6FB92A2EF38DEAD9C1714D26221097E214D21BF28FFBCFCCB2E9F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684952Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:56.496{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2B1A705757EFD457506FC9B0B8D1865,SHA256=A71E73464E4D0FB277C2C22FA7AF6A5627A25EED89D16C33A83F02541A4DFC27,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624502Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:52.946{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51653-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624504Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:57.915{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A255D214CEF5F74B7B5862EEBD92DE3,SHA256=CE7ADEE6A35195FF8B60B9D5039465AA001F5720189AA36D202E9FC033C79DF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684955Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:53.627{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65117-false10.0.1.12-8000- 23542300x8000000000000000684954Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:57.574{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC8D35A2A6627C33DE9F04A96D7D2D2,SHA256=39A743F6849C19670BBC6C9B5386C0F888487C53D475450A750F32BE67BF968D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624505Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:58.915{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8678B61CEE3058D2B1048C2BA90F010,SHA256=E4A03AE2BA88FAF03155B59A8BE76F2773E1A94790E9343F34DC32F41BB45DF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684957Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:58.590{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA6CB94F012C30664FB9E740E3C22D29,SHA256=F3C9183C156DF6F224A29CD5C963CB5007A1B349BC5EAB756C2B897C03B10451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684956Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:58.121{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1F90DBB43AE281A5D7B7FB212209C8F,SHA256=DF6556468E0613C9EF6D66191E54BEAD5328183581A8B755FE4F01E3629787F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624506Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:59.915{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F57361A61786B0892C4E0B7C650BCB4B,SHA256=DF40326AC29FBF5E362CDDE70375B292D6A73E4B6555F75F76EE48152611D5DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684959Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:59.605{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABE10D81F0ADEC1B73614BC102EB0AED,SHA256=890B138213C06C97572BACC7FC663CE1C705C852D60C7157963C4179499C3C09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684958Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:59.590{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80FFA73C90C5996F7838182447959129,SHA256=33D0F2623DCBAAA1D53FFB16BFE4C59D0F37CD8771540B15C5D67FCB1E479752,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624508Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:00.915{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=356B556772ACC8A33D455BE3367FFA2C,SHA256=44D52C82D16B3B32ECC8BB3E875F638CF20BC5BFBE9C799787F18D4BFE7F2333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684961Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:00.793{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=321C1A73A16BF37012829483C789B732,SHA256=7DFAF30FDD8EDFD121564495D807ED8B867AC2799EC4B30077767E6DB88D2FC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684960Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:00.652{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E5D6A5A2F7C2EE5758EE52DB85471F1,SHA256=353D2C9B8CD84262F7154B91D8DD89939B75FBEC4DBA130E9FA6A0E4B246ACBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624507Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:00.650{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684963Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:01.871{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B1C248414E873E5D5CB77024DCF9873,SHA256=E1DFF648F1FD7B50893301FDCA1BD3FF34716804A59FDC1BD6B5D4F8B39886EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684962Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:01.652{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4075ACF2EF357525DAF7AC64A90649E9,SHA256=EAC0F8BB0487BA45CA195226C52D7B49AF50289210A6F9103E6AE19490666193,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624513Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:59.493{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51655-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x8000000000000000624512Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:23:58.931{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51654-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624511Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:01.915{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFCBB25481C4496EAFDCD04E51FF6EA4,SHA256=274D175ECDCE6A53FA0D5E6A9C557BCDC115BE8B72B68E8D831E78B54E82B015,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624510Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:01.072{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EAEB39310509C5889BD9FE4E61AA26E,SHA256=A91B7D0607AB6D5CC7CD92AC5089DBC0CEE4090F04DCD3A3364ED6F9B88A27F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624509Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:01.072{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A383E839589C18B9B06DA4A48163163,SHA256=11DF149D788886437119B809780456E79621C2EEB11CF4BBE66E302793A11CF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624515Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:02.922{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E76D460FDF2185A8BFF5B7120FE422E4,SHA256=42CAF0AE00D3F15328452DA3E29060BA668DCE2481F3CBFEC3E840F5412C56D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684964Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:02.687{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A434AA89F862F172F57223165AB3DD0,SHA256=4290295B00484026B6A03F7D22B1A5065FA70C0A9204F14786A397C4D268046D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624514Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:02.875{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=ADA0E6B737744B0B940FFBCAD16DB41C,SHA256=55079FDB36657160DD8F4D36571DEC730E1D456B8DDFB7EFFE003A1E0DF01892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624516Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:03.934{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2417ACFABAC2184224FD4020837EC32A,SHA256=4237662963847F34D1199DB425CE9C5A8D2A4A878FC1BD216CC4CC05B8ADDF51,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684968Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:23:59.502{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65118-false10.0.1.12-8000- 23542300x8000000000000000684967Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:03.703{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684966Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:03.703{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B4219AEBBE6697E34E2A544ECF42D1,SHA256=528B8523663C3612F2605A7B5D94DA001621847270B4E2ABDC8AE0284FD0D81D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684965Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:03.187{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8E0E1E814A5D93A74852408ABB561F9,SHA256=DB71E96CECCF10C20C384C0EE701B9A61444793D9A89FFA6FB44A2E43E5119CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624517Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:04.936{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80AB07858DE2C796808D85E35A3384F3,SHA256=7DED07C7B5F99B5E8E6F8E11F60562E01EBB2DA197A2475CAC62B65E7775007E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684970Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:04.734{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE2F67AB945EE13981B51EEBB6411583,SHA256=DD4F49286A2F17EA91F53BE3D33CDEDBAB4AB24F03F27178285B612992C15391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684969Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:04.281{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8516B60CB7CB887D9623F945C1CA2B99,SHA256=DBAE7DB6DF46F006924729149060E377E5786CA37C8707117220E3A9DF6CB65D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684973Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:01.100{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65119-false10.0.1.12-8089- 23542300x8000000000000000684972Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:05.750{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4B883DAAA4365338F3E1CD8BF04F116,SHA256=0E54623ADE83E1E7EC744267AF72099FAAB593736362EF02F4A3C5623CB05FF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624518Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:05.936{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=238B5E57A2BD7AA7085FA96F8BB07EBB,SHA256=C7F2918B392125DF74B7EAA85D1C3C9D40FF7FD0E5674E2FEDAA40099F494AD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684971Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:05.469{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30FFF648FCD30D51248D3552206F0E80,SHA256=3C0B1D09C7AA08D3C576A793A4E33183787D49374A9FC3CDFE55D8CD0C5328C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684975Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:06.797{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D59B8ED51BBFCE1980A9F1865FEB7CF6,SHA256=44DFAB0B5A2C0775DEA37680D550C0D49BCDF528C8F47FE3D4DB4DA914AC2A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684974Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:06.766{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92789C42166AEE99525860AC7C4D9A04,SHA256=746BE7D034E7E9ECAE97EDA925205971C16F9B113EC84134145DA9295B0D8FED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624521Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:06.952{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A91066D78EEC298262DC2A68C6226DC8,SHA256=3CAFCEFCC9A0D39714EDAD3332F380D94D173FC3DF9C14781395062F5F062700,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624520Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:06.155{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7478DC27BB41BFF61D6A286DEE145C5B,SHA256=E9491EA03123A3E55E8F9EC8795F646E90ED642E5867189A0BDDEF3D1E724601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624519Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:06.155{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EAEB39310509C5889BD9FE4E61AA26E,SHA256=A91B7D0607AB6D5CC7CD92AC5089DBC0CEE4090F04DCD3A3364ED6F9B88A27F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684979Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:07.919{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=741AA56682D7A3160316F8FD08AF941D,SHA256=10D48DA42DDAB2E7ABFC152FEF68789BC51BCA4D6E3DB97AAA88A34D5C4F85B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684978Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:07.794{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09126786F41BBF1B5598C6C33EE5472D,SHA256=9379521D79393EAA2A8AA951621DC095C0BD24DC356FAB89290A0A85C71B5A68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624522Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:07.952{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A1E7E14FC1C6EE14B85135BCA966A3E,SHA256=4FBAC3D0435ED0A556B90EBC7E3CDC13E94DDCFC23D0992009228A9A41D2128A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684977Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:03.194{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local65120-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000684976Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:03.194{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local65120-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000624524Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:08.952{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C7ED14001DBEC94892245F89D6F46A,SHA256=03A974E2C7C926D650C5E126E67CCCDC9F8D394E3EBFA027CBAA9A476084F3F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624523Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:03.983{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51656-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624525Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:09.983{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B627E4431CDF6302768C326551521458,SHA256=E065C10C2049690B76A089FA8BA43F8DE1A51A2761F22F7C428254F24E7A1960,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684983Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:09.595{D419E45B-752D-60B6-0B00-00000000C401}632756C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000684982Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:09.251{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1037BF4B9182504936A4F5BD6FE91EE7,SHA256=65FA1DFAC98FD730D08E99DCABC3135B25F3ABFF7BF500EA92BFE9875C042547,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684981Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:04.566{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65121-false10.0.1.12-8000- 23542300x8000000000000000684980Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:09.016{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3585CBEC65FE3396D984C33A192E64,SHA256=591172218FDCA3AF43BA17AD7B90D4DC15654A1DA6A38554E026296ADDD456B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684989Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:06.908{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local65123-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000684988Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:06.908{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65123-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000684987Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:06.900{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local65122-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000684986Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:06.900{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local65122-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 23542300x8000000000000000684985Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:10.501{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=836D0998E5008E655A6039DCB2933E84,SHA256=3FA3161E0066881C2785570B5C2521DC18E8A5C0E4734CF6AB6E8C0FF73195B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684984Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:10.063{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B304304D424156B42B4429C53C91FCE7,SHA256=867F0E3C5B4ED2002F5CA94003D6FC67D5CB59BEF18C5273C72668B7FDDC2D96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000684993Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:11.813{D419E45B-752F-60B6-0D00-00000000C401}9041968C:\Windows\system32\svchost.exe{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000684992Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:11.641{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50FFDB10588FEA900264D44EDEE9668E,SHA256=A15576B336925DE6AA1E07CCCF5CBBF5B73B1FDFBA3B3E388DE795EADA9DD797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684991Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:11.267{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=086D0C8AACDBCDAB882F74CB47504D07,SHA256=FCF35825A687C24FDDB08E4A04A86EE9EF16695E620E92693157B8EA34736D0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000624553Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:11.343{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624552Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:11.343{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624551Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:11.343{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624550Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:11.343{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624549Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:11.343{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624548Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:11.343{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624547Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:11.343{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624546Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:11.343{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624545Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:11.343{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624544Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:11.343{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624543Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:11.343{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624542Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:11.343{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624541Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:11.343{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624540Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:11.343{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624539Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:11.343{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624538Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:11.343{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624537Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:11.343{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624536Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:11.343{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624535Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:11.343{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624534Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:11.343{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624533Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:11.343{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624532Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:11.343{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624531Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:11.343{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624530Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:11.343{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624529Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:11.343{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624528Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:11.343{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624527Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:11.343{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000624526Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:11.046{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1051540F3232A5CF9C4AA0EBFEF051A3,SHA256=71CB9C7A2A0E853BB36885039EA0D7B02677DED679AF050AC470D67E26C30B97,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684990Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:07.010{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local65124-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 23542300x8000000000000000624556Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:12.233{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74A88D09D23346859951FF6A772B2E8B,SHA256=88A85E802F46B60BC2A88AC9E270D9A5D622A5E709C6A2C258DD38C4C87FC483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624555Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:12.233{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7478DC27BB41BFF61D6A286DEE145C5B,SHA256=E9491EA03123A3E55E8F9EC8795F646E90ED642E5867189A0BDDEF3D1E724601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624554Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:12.171{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D617C52E5640086DA36707C27284FF,SHA256=BAB85D5891093C50B09B007BA1D05B8ADF5A95CF3E8B5C4A8043502845D8710E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684996Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:12.782{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8B4B41E9FEAE074CE4FCD508E40CD73,SHA256=EF586AA7858F050B3F3D7F4A98E5F8B65D3E0BB1BD346A8127809B81E13A7C52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000684995Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:12.313{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E8E54BD74EDC2FB936EF8626066A1F1,SHA256=87C353A195E6371080AD16688808E210591B10081068BD0330AFEED1B961EA1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000684994Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:07.010{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local65124-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 23542300x8000000000000000624557Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:13.171{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C7BCFAEA125B81EEDB86272DC0343E1,SHA256=AD9E8CA70799D2440607078F6A7E75666691A552A5C0172EE22A82492750FD49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000685014Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:13.891{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-022D-60B9-CE52-00000000C401}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685013Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:13.876{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685012Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:13.876{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685011Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:13.876{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685010Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:13.876{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685009Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:13.876{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-022D-60B9-CE52-00000000C401}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000685008Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:13.876{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-022D-60B9-CE52-00000000C401}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000685007Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:13.877{D419E45B-022D-60B9-CE52-00000000C401}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000685006Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:13.407{D419E45B-022D-60B9-CD52-00000000C401}3484468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000685005Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:13.329{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5E25C228DAF9D47F12984B024E625FD,SHA256=A6B9C8CC41E027757AB82D3106D1B4D208ABED2916CEF4ED9A79C08BFE121D9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000685004Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:13.204{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-022D-60B9-CD52-00000000C401}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685003Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:13.204{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685002Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:13.204{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685001Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:13.204{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685000Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:13.204{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000684999Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:13.204{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-022D-60B9-CD52-00000000C401}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684998Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:13.204{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-022D-60B9-CD52-00000000C401}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000684997Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:13.189{D419E45B-022D-60B9-CD52-00000000C401}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000624559Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:14.187{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F5F4473CEB12CCB0A680D7B2272B746,SHA256=7472F89A9757C24E48A52951E7A9213CEB918D43BA48650BC39D22248BD67516,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000685026Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:14.548{D419E45B-022E-60B9-CF52-00000000C401}21766160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685025Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:14.391{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-022E-60B9-CF52-00000000C401}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685024Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:14.376{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685023Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:14.376{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685022Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:14.376{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685021Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:14.376{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685020Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:14.376{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-022E-60B9-CF52-00000000C401}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000685019Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:14.376{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-022E-60B9-CF52-00000000C401}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000685018Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:14.377{D419E45B-022E-60B9-CF52-00000000C401}2176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000685017Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:14.360{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CF3DD09F7BB5C1251878C5A98CB031,SHA256=4AA5E375B22CC577553C809675CC9A446C9C149F4A03652F7820E8B7C8DC194A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624558Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:09.967{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51657-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000685016Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:14.110{D419E45B-022D-60B9-CE52-00000000C401}59162548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000685015Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:14.032{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B2EE49909BD00C71CA5D6EB91E98E2C,SHA256=60FB19A5CEE60BE2FA661E51006D059EA1F8361D9CDB08D96F239E7A54765693,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000685046Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:15.657{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-022F-60B9-D152-00000000C401}308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685045Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:15.641{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685044Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:15.641{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685043Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:15.641{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685042Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:15.641{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685041Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:15.641{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-022F-60B9-D152-00000000C401}308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000685040Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:15.641{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-022F-60B9-D152-00000000C401}308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000685039Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:15.643{D419E45B-022F-60B9-D152-00000000C401}308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000685038Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:15.376{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CB3BA3DE4B6C7C517BE5BFA77607462,SHA256=838B611B460B7FCD639F7E66D3F7260D58712D67DEFB8EA0FF9D478F77369031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624560Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:15.202{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=989381183B0BB666660B8C647EDDB5EC,SHA256=FA1D498E36F6FA66B3574B1BCAA816930C2BD494DCBA4CA02D57DDB7A3181DDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685037Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:10.569{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65125-false10.0.1.12-8000- 10341000x8000000000000000685036Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:15.204{D419E45B-022F-60B9-D052-00000000C401}34165232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685035Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:15.032{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-022F-60B9-D052-00000000C401}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685034Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:15.016{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685033Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:15.016{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685032Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:15.016{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685031Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:15.016{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685030Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:15.016{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-022F-60B9-D052-00000000C401}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000685029Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:15.016{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-022F-60B9-D052-00000000C401}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000685028Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:15.020{D419E45B-022F-60B9-D052-00000000C401}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000685027Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:15.016{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73604DBFBE44F67652306F6901B8B58A,SHA256=21AF05C62BD73A9B14893B32A7904939A2F6356543A867C5F6965145FF20F91D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000685064Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:16.954{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-0230-60B9-D352-00000000C401}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685063Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:16.954{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685062Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:16.954{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685061Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:16.954{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685060Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:16.954{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685059Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:16.954{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-0230-60B9-D352-00000000C401}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000685058Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:16.954{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-0230-60B9-D352-00000000C401}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000685057Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:16.955{D419E45B-0230-60B9-D352-00000000C401}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000685056Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:16.391{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8D0C79AC4433F080C59898079357F24,SHA256=55D05D7807FDF12D40289AFF0F1B23693DD42187E035D3034239D9F98A0A9123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624561Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:16.202{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=724FD0A336E59F68E986B6657C75C833,SHA256=FF73D659E39BE5A695ECDE2F60DC70EB628BF3F18CAACA29BA267F0FA1F7C748,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000685055Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:16.282{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-0230-60B9-D252-00000000C401}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685054Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:16.282{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685053Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:16.282{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685052Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:16.282{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685051Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:16.282{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685050Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:16.282{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-0230-60B9-D252-00000000C401}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000685049Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:16.282{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-0230-60B9-D252-00000000C401}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000685048Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:16.274{D419E45B-0230-60B9-D252-00000000C401}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000685047Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:16.266{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE0F1F99ABB9EF6B018C735A2C0D1AE2,SHA256=06B0981952049F8A21DEC1FB519C446701FC003EBADAF159A289AA923887947D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685066Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:17.563{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A20F8D9617BE1485E1A0A93287C8C256,SHA256=0D10D9AA49C83951572B1D4C9B0EF98159BA012E83A575645C1BEC1088A3593E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685065Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:17.563{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0557A7F9E193E01B8BB254D9CDB7CDF,SHA256=31FF4EDEDED41BA9483FEF5B1CC9AB518DDB10D82CC4971ECC7634C80AF28480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624564Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:17.233{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD2508F5EF87C29BEADC9806834B8F21,SHA256=F6574E275FAE67D6363DE64AC741146FB08C41D6B005E4B5B82E179DBF89B949,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624563Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:17.233{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74A88D09D23346859951FF6A772B2E8B,SHA256=88A85E802F46B60BC2A88AC9E270D9A5D622A5E709C6A2C258DD38C4C87FC483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624562Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:17.202{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05AB2DC7E08A2B99EE4FC2967FD4FB72,SHA256=C536543931D715D0AF655CAC4FD49F21BEF2426E7422AE8482AAF7131E1FF4E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685068Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:18.766{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73066DE8109803EFC63A9A2BC417B743,SHA256=577F87E1A6E00ACB1C5DA9C8E9D17535B49FA9DB5A13D0065CA26493FF762D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685067Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:18.657{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=815392AFB0FDFDCA5D5200EABCF2FF78,SHA256=4412CBDC42939A5404DF8F231EA9D422E0A81B20CD333A8172C6673E07254450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624565Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:18.202{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3918D16EC58834C0E36068B86EF0DB2,SHA256=41F0033882F437B8C83609703052D9CA51862896499C7E6685AB0EEC76847C46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685071Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:19.907{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BD3E4FAEF7CF7386322AB5BDD9A50BE,SHA256=DAAE00B454DBF3D2B1713D5BAEBF063196DBE01E69BDB9478AC1AF4CB63940CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685070Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:15.600{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65126-false10.0.1.12-8000- 23542300x8000000000000000685069Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:19.704{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44F23BA28177E5590EF0D3040E190FBD,SHA256=FC62782DFA6BF9FA3CB40494717A708E265470707492E73C28AA5CAE6673BA0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624567Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:15.030{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51658-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624566Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:19.218{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F076BDB58FBAF9C12D42C9EA1D5E32C,SHA256=03B58B8FC667786AE85055AB59FACAA59469E89C28ED42974C7D83810FF7915F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685073Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:20.985{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF5BC76FD6AF05702786BE76ADEC2602,SHA256=1C2A0F26C3231439D110823568EC61A75EEC347BCA91E6CEA62ECFF780CA3B06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685072Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:20.720{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8865B6A83C0042B63C549F2142855FCB,SHA256=926716B81644295B8641CD332BE12B65FDDF8918B44D086E8CBDF60B94E29782,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624568Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:20.233{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02D573A7C32B281759972B55CD71E676,SHA256=BC7C67F644A7EA028EF2D264971CD4D7C8E9B7C332D3C5A8D32D346C02B6A394,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685074Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:21.751{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A60CB4D9C7478EF8A4712B23BA1A3569,SHA256=02E1A8130E082312827A82FAE4C705E301F67ACFE06966F56F71EDE1CB810206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624569Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:21.280{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=712C9DDDF39E55A2F8167231F6F853BA,SHA256=51A24B01B1F3D09484B3ED1B5F65F666585CDE48F003999CE1340EE7FDFB021A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685076Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:22.755{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D29FA773797B343BFD26D5D7A71F1BC,SHA256=379A885B7B4629729A62562EB758DE9BDCEC824D240B9B5B0C5905E00B213DEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624572Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:22.409{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05A76B8FA65EFA65D6E1A59286CD6D10,SHA256=698142BAD49BC5F291CFC84E23DFB75CB9EEFB153A43A1EBCAEC02CB7A35CB69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624571Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:22.409{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD2508F5EF87C29BEADC9806834B8F21,SHA256=F6574E275FAE67D6363DE64AC741146FB08C41D6B005E4B5B82E179DBF89B949,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624570Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:22.300{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C9DBC6CAE6E5DC6EB292463E9C8C3F1,SHA256=78E3977E69ED1557854EB3A202AA7FEED9980CF7D989018F30B31D14CCA49F9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685075Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:22.063{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D2904AF4CD322A7530BD20ADA10FCF0,SHA256=BE0559391F5F231669D4CD12A9F171C0BD0C5519EC926143279147C52680DEFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685078Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:23.787{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CCDBFBCA3A74FD72042D6D72691D803,SHA256=D811352E3A642A7ECDB64E4A9616CECB7D56EF730211AAD5BB45BF445FB26333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624574Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:23.331{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94490378C38A07927C17338839D76D9A,SHA256=1AAB5B76625FA1520CF439E0F16C13BB653162563024450F62E52CCFF5346E94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685077Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:23.162{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6E1A7C4F81C404482BF0AB5281710D6,SHA256=50D7D9519311177D54BEF426E911FDBA4803AF8E7C40F14FC503317E385E56D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624573Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:20.046{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51659-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000685080Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:24.787{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB68553DC9882D99488E04087CB5E0F5,SHA256=8F822B12805EF235BA5ADD42E3852E2DE91BFABC730EB1394DFB40F331DAFC61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624575Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:24.378{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED6D1CE8A7547C4C6781E688F4B0978B,SHA256=A9F769153BE226AF3BA4A718521999BAA02A78E0A4C79FCA3E22576D78136932,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685079Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:24.443{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D65E2D5DC03DFB75CDC2D9B5904CB98,SHA256=FF60D4AB9C59FB46DE5B7D12B9861D0FE9D0491BD9741667CA4AB472EF2DB1EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685083Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:25.802{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9989ED8127C078B92569DCAD71F06967,SHA256=15421A9FF208BD8E9BA3518C4E43AE4BB9029171DA2C1F13C9291F7AFDF7137F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624576Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:25.394{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=690CB6E689D0E0EF92F370D1C0D62C58,SHA256=775A8DB47AFB36DFEAC8C7FA08132D99A6EDB9ECB7ABF1039F3E49F8B78BDDFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685082Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:21.480{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65127-false10.0.1.12-8000- 23542300x8000000000000000685081Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:25.693{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A8DFDF35F0BCCA98420436952F1B952,SHA256=B62206DB70CF9104B18A445313780D6F5114448075F69B8AC839152BDA3D3E25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685085Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:26.834{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C02B68FA5C3E89469F3529BB752028B,SHA256=7F7783DC13FB42A5B6D92D8B0AB12B627B2A1ADE37FBC8251A540CCD4326EFDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624577Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:26.440{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7827C369A59EA9B0F8F376488CFFCDBC,SHA256=1EFA571E1F4327581C7B0F888EBAB149E4B16E754785F8073683AD05D4D3C391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685084Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:26.787{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DB71D3E454B8D49AB469B79A3A5A0EF,SHA256=A1597539120BEC6CCD490DCA2CE7CF2FAB85A0898BB9D227E297492B603178E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685086Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:27.943{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C3DCE066FC11BA04A5DBF67BADFC501,SHA256=5B4A53AA9C756C11C5B0A7A929640E3879B413289C18D819F6D3B7057749F1D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624578Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:27.440{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA507B1E0347F18530A2B6052983562,SHA256=6204E042C25FF431343325E129C3172EB606281615218E0D4EE84B53917A2D16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685088Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:28.959{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C5C2B248EDCB0A6B19291E4C4795E13,SHA256=1E6588F3D963E1F1434B1B2C2164BA8F133FBFFE7661D95E6E85EA3F82E8CE13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624581Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:28.441{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43CB5BAE44C6D01ABBDF89D315546721,SHA256=C87296974326E1C03E4B5064596395775C1939FA0D1017E52928299311455F6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685087Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:28.099{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95E295D3E02E663133D046504BF34179,SHA256=52E67073A1C9FE2153989B2FC8156916F446A1328E938915A576F67AF5290D29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624580Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:28.409{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC5926408F02C8E5F44BA7CAE8F89523,SHA256=4CB89B356FD8A4751F336D8B5E8CA7620C91FA8EF9939531B23DF60CC41001D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624579Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:28.409{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05A76B8FA65EFA65D6E1A59286CD6D10,SHA256=698142BAD49BC5F291CFC84E23DFB75CB9EEFB153A43A1EBCAEC02CB7A35CB69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685090Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:29.974{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=026F19FFE850DBA9E78C48E3D0F7E36E,SHA256=32F178EC215BF29AEA6BAFFFE092127453D0ECFD9491014151B9CCB981892C5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624584Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:29.456{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=757161FAD83A71A766096298B9133945,SHA256=02242EEEDC421B9CFB9F0776D6417D5DBBB8F2CDAE262E6C00A0843037948AFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685089Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:29.271{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=277DE504FB10338AC6747322BA752060,SHA256=6AE0ACB22E61C94F8BA78FBE9DD8AE04A9F68E0958D5350C70C3A2574730B484,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624583Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:29.409{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF9ef3660.TMPMD5=50C3F57E9B17DAD0DB73AD4F64FDB6ED,SHA256=86D53DA9ECE564538A00B5F8E963CD8B3B67CB52F8A489C6BC9DE193528D6A7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624582Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:26.034{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51660-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000685092Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:30.990{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8FBA58B95C12A1011A177C1D39C9386,SHA256=C6EDE61920322214212C95C17735A794688504CF10B3D52E9C2ED7B50A07B663,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624587Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:30.737{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=57568D9C6A215E9C4C65D820800B7B81,SHA256=D478E938CCDB3154601460972D978FE98FDBEAA5D53024A71652621DB4BF022F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624586Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:30.737{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E1D63AF4A1A2B1A8E4DA124D3628D79C,SHA256=9A1F10B12A93EE014481C0304D458A49E205EEC4AD817D0AA08BAC9A2B684F4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624585Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:30.472{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2419EEAE4CB249F612F0561A4C4ADCC5,SHA256=4B59DF37AF9B7D9F460CE6B58DD6BD79F42A76392582AAA102074A2ECBFAE00E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685091Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:30.427{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FD60DAD029953E12523D067E29973B6,SHA256=09EB174CFDC57F07C638E4EDBA7248569BBA82914C2AC20813C6575384FCAA3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624589Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:31.519{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC5D5088D54A3252276453B7BD610EA5,SHA256=F1CB76148347960572E8027B5127E4455CBAAA4AA37E8D271BCFE39F3F3D33A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685093Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:31.662{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACC9CC75AF71011A55314DDFE1E14ACA,SHA256=82DDE9CFBB15872BDD13D4306C0949EF2DAD134B709046E7132D2760D09CCE7A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000624588Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 16:24:31.019{97C2ED32-772F-60B6-1100-00000000C501}984C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d75894-0xee7b7782) 23542300x8000000000000000624593Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:32.519{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19732B5BA1F5F26EE5B2F127985BC27C,SHA256=2B55A6E1A628807FE1BA89C356386D7D1F2C7C9047814DDB0996438414EB98CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685097Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:32.896{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=190550320E14FDC8D39F0EDBACFC7318,SHA256=1EC81B0D1059AF10C6129C98F5FF442712EE99292A1C5BD17CF879207834BD94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685096Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:32.771{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=049FBA90CC1462CB39F2D1B59848D421,SHA256=D544725B8874A35F383D5E36EF9C23EA4D4258C1CAC56E5B4293CB454530E930,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685095Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:32.115{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B421B13EB89AD0F20BBEB12D28A6BF6,SHA256=2DAFC40E796164CD30DDBE2CC72E2B58009735241BA618C8EA3B30260A317975,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624592Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:29.862{97C2ED32-772F-60B6-1100-00000000C501}984C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-236.attackrange.local123ntpfalse13.86.101.172-123ntp 354300x8000000000000000624591Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:29.862{97C2ED32-772F-60B6-1100-00000000C501}984C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-236.attackrange.local123ntpfalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal123ntp 23542300x8000000000000000624590Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:32.003{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC5926408F02C8E5F44BA7CAE8F89523,SHA256=4CB89B356FD8A4751F336D8B5E8CA7620C91FA8EF9939531B23DF60CC41001D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685094Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:26.651{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65128-false10.0.1.12-8000- 23542300x8000000000000000624594Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:33.550{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D4CC64E3617F1FE17C239E3A11B877,SHA256=B1C9048D5D9EDFA80E6C52925BB0464AE4793D8A8D68107ACF481B6D6E6F2431,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685099Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:28.417{D419E45B-752F-60B6-1200-00000000C401}480C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-233.attackrange.local123ntpfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal123ntp 23542300x8000000000000000685098Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:33.115{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4A87E1E07690B6A8038772EE3EC8609,SHA256=866992DDE971297BD4CBBB4989B1BF127ECF93065E1AF8BE96858823A9D9DFD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624596Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:34.565{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69DD45AEA68E88D4D43020E6FA1DE132,SHA256=E46AC6F293305147FDD2BEB0DDCB342BB5170709A2A1B805B65AF5A31020F34A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685101Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:34.506{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65B55DBABBBC6501CE59DDBF506C4170,SHA256=95A41D76B4176E9669B1B65419DD5148CAB29700E4AA83F10BE0F950E75C48BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685100Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:34.131{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0406927FBE91731FC0FB4F20F9DEBA93,SHA256=E467BAD69079DCE6036CF03C4BAFFD0B1E0C81C0CC9691F39FD15EBD4DE7963F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624595Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:34.112{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AEE950CB510D8B6A7E5564899FCFFE2,SHA256=F756AF11FC6DFD9780DA96AE1EF087B28B71A61CB604C707265BFC3C036B1082,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624598Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:35.565{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87FFD29E156CB1A51F47BD5DED95D4A7,SHA256=875ECFF1DAB1E23E89A877B359EBFBB14B21DB8D194D750C4F7708D65C405BE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685103Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:35.537{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=250E9D2080DDE853B721C413EA39B416,SHA256=373D466D5114172B5CAD2DE9F953F11CBCF3969BEC94BB72239FAEDF8844E6BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685102Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:35.131{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A2DFBCD70586D9E86727F7C9AC9A795,SHA256=410783BD16CDFD519DDC7C13FADEB2CC7BD595F7C2366603A554644A588F4543,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624597Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:31.940{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51661-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624599Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:36.581{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C03C84ACBC4716A47F3D822EC747026,SHA256=A36F0804C4CE56316739C9A0DEB2EF7A268F60265BDA001052DF1590C18D326B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685105Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:36.802{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4876F7E3CD7224B8CBEA588CF7C3A0F,SHA256=AA12D85E8044D17ABBBC0B621EA5EFFAF73223808E290082A1898AC9ECE190C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685104Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:36.146{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2D756DF03BCC8E6BEC19D727BF8326F,SHA256=B96A89A57516C11861EB616DF7719D0A7BBA2982BEDA4007AE1474BA7A339EF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624600Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:37.597{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA714A85CCFCB284599ADBDE5E38C0C,SHA256=14CE04AEFFA0C07174420510D6D0E5FB6E6071618E440E12A8B03751203FB600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685107Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:37.193{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1A805602539A7B16BD58B6E8CCE1A41,SHA256=9875B50CDBE21A81B7B73991B12F46F323E007A8D81C89FF3B4298C78FA232D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685106Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:32.637{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65129-false10.0.1.12-8000- 23542300x8000000000000000624601Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:38.612{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CB18B7B4BCA7512B7F02B5DF7DF2AF0,SHA256=A84E4234F6FC3C12815DFFB8D83A796805E9B35577570F72BB185483E41D4F89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685109Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:38.209{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1AF70CCCF1B831F9FDFBC2FD611084F,SHA256=7CC7571DCE7CEE374E2945E9939B00D5092D667AE98B556BA318A538830F9510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685108Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:38.068{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFAC0A18B937C2AAF1893CAB02F848B2,SHA256=28D431F92053F36D3F46EADD735B69892ADB88AA79D886E1D2377C0F3FFE81B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624602Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:39.612{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4106BB22BADD3BFB94A710951820CB76,SHA256=91F72FF38EA6CBE9EF834FBA85612B72ECDD09400C0F176F161D7C986AD3455D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685111Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:39.459{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D3B145F843094891DB6309AA0BACFB1,SHA256=591D4AFD2B4CC93035FA96E891EB26FFB9A3CED886263C1471898A35FD61D534,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685110Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:39.209{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A54DB1610D070192BACAAA06AA8AA409,SHA256=45170598386E4AFFE5EDEB1B8F2B1742D8CF1634A0878D63552C55A46997E4E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624606Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:40.628{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=552F2D96ACE2E4864F0AD935685FB6AA,SHA256=8667C0572DA159F28CE33A3ECE4B7CA41721477162269B7FA68A46F2EE252C5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685113Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:40.537{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FDE0EA56C09C515B58586EFB8C23E7F,SHA256=DA32CE4CE56F3443566F5EF775A0E90F0BA582365364F7F130150855502DDDE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685112Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:40.271{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6E16DB3497BDF8E1BED6F88F168A459,SHA256=7195B6C8F019C5FDAF3C2BD1C6A19311BA92E6D528749AAA97948A278596E0F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624605Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:37.925{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51662-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624604Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:40.081{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A10E1C29027BB3096452D2E8D02F0ACD,SHA256=90BF44BA65B0E7CD3FA057A51279C2ED1F7CEAF2D8A92249B23F0ADEBF5B2B85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624603Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:40.081{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CB4DF2BCE7739D2D9E2DC52DF23AF84,SHA256=7C0F4BF3466D1778AA12C26F1A97D32B577EB3D31BB42A936776E9EDC3606552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624609Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:41.628{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E868F6BA326BB8AEBDD67AF09DA97674,SHA256=2D19179F31893E65A0B546CC1BA00AEC8A9C5A4F296640A50A57EA6E73793194,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685115Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:41.677{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D207CD947D01B5ABCD260A8FB14A4406,SHA256=669A3B1F2D495406EB44A156DEE16B933828D438E8BBE242A5D02D3EC7DC9C06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685114Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:41.287{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=407C888FC3FFA6CEB1972B1ACFA80EBC,SHA256=01DB4F02950B709878D93304ACF27D28EEBFB8163C1221258821108323640126,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624608Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:38.240{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255ip-10-0-1-255.us-west-2.compute.internal138netbios-dgmfalse10.0.1.15win-host-236.attackrange.local138netbios-dgm 354300x8000000000000000624607Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:38.240{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-236.attackrange.local138netbios-dgmfalse10.0.1.255ip-10-0-1-255.us-west-2.compute.internal138netbios-dgm 23542300x8000000000000000624610Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:42.629{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=291A2A227B35562BC3A4D9951F64E607,SHA256=7B649357C33DC945F5A2B1F91E07216B77CD33FE4B68A4B0FB646825230852A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685118Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:42.788{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8514D22579DEF57D199C051AC375A4C,SHA256=8F3D0F6DB4E91122B6CC88954760806627E905FB49435CB712C4B813AC0827D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685117Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:42.319{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=952844A2F9C2B0CB79FED1E4F387F2C2,SHA256=A921E04A5D5B9050B7DB24F42E1E7328E09CE603D547724534B2C336354B9C51,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685116Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:37.636{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65130-false10.0.1.12-8000- 23542300x8000000000000000624611Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:43.660{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBA5E94D0068E0753591FBBAB93753B1,SHA256=C5ADCD9957E3A4BE16344E4EAF56817517BFCB4A9BEAE4546A0E7DBB52065DA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685119Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:43.382{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E3A9CC2C85FDA60E1F7A8BA3402576D,SHA256=B331025A231C69FA5AD08726F5BE5B87B4506EAC5801EC761A8073F06741E8A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624612Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:44.676{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D684DA530E979EE03220694DB8B79A4,SHA256=959CD060846357FB470140DF63D538830E43227855BADA3127C580FA83B59175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685121Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:44.429{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEEFED160756AED40C092399BCA82BED,SHA256=A11AE5B62723460420438D1EAEF611DE06E83810694F037C2643A2E0C3E636EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685120Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:44.085{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2132A8A8190168549A63E2A377C584FE,SHA256=B669F9D308C914A020BCE42383353609BC522890C4E3DD7761302F56485204D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624615Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:45.707{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=747229DA6834F12772C3A540536B8AD2,SHA256=2D220BE18D3FA7B5AA83ED8712CEDBE295927C8D62F55BFD612D4BB49FBCEF2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685123Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:45.663{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C027518FE3E29EF8F6DC45E473A3D90,SHA256=4E05E8F69D886DB41DF607FFB99D36E254E92C1D025EF151FD079B5CB1EA6976,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685122Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:45.460{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BF82FD9124A874433DDC3A630D36BA4,SHA256=B61A60E358D183618B7DAB2456FD246C66C723BC7CEADA8BC02EF0FC78423D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624614Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:45.192{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70A13225F976B90636C6F948584BDEB0,SHA256=1816E8E1B20EECB439975651930C33A81EDE669526A9D08149C551EDFB24996A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624613Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:45.192{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A10E1C29027BB3096452D2E8D02F0ACD,SHA256=90BF44BA65B0E7CD3FA057A51279C2ED1F7CEAF2D8A92249B23F0ADEBF5B2B85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624617Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:46.707{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C04E140D33C4646BA0E5B5C766D6E77,SHA256=F6E3E1B4D9ADFA72F05E228B8FAB066E2588925FDF9622141DFA6A548287B217,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685125Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:46.694{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A73A61DF22600C213388E8FB8B33EAA,SHA256=48679C1BD077102A8826EDC935C871B991CC3C9F9B37ED5E64DBA417B997C99A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685124Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:46.476{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2678E945D8ECB3E6F8E7F4E1AB8E1A6A,SHA256=19CBE3F317483F166C9B27649D639D3A269B5EA82AA336EDF84A6D60A9CDF41B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624616Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:43.051{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51663-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000624627Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:47.785{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-024F-60B9-355D-00000000C501}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624626Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:47.785{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624625Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:47.785{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624624Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:47.785{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624623Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:47.785{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624622Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:47.785{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-024F-60B9-355D-00000000C501}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624621Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:47.785{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-024F-60B9-355D-00000000C501}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000624620Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:47.786{97C2ED32-024F-60B9-355D-00000000C501}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000624619Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:47.738{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F22BBB2285E6CB698B8AE8C59C5B66F9,SHA256=C4044912A1922C721173A950A5A7EEF23AAAEA1B72CA08BF132570D7B61D6C46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685127Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:47.835{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03FA10862BE17F234E77FF3831E65B1F,SHA256=FB6069A21C893947B1A0D77EF55AE21F21B162634F03DEB8835A0FF6D1B1E57F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685126Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:47.491{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=693124253420E8F2B451B06881AE3828,SHA256=828ABBC137F48612E6E0B2CDCD28C4FE0BC8A8CF8EDF7074A93BDA9A89491F39,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000624618Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 16:24:47.020{97C2ED32-772F-60B6-1100-00000000C501}984C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d75894-0xf8050884) 23542300x8000000000000000624638Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:48.801{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70A13225F976B90636C6F948584BDEB0,SHA256=1816E8E1B20EECB439975651930C33A81EDE669526A9D08149C551EDFB24996A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624637Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:48.738{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=201E2CFAEAA600008D394E47CC856A99,SHA256=9F35A2A23CF9BA8AD04D1A7C39FB0DF3E5235D5EB38F5EFDE49D7D43A929E276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685129Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:48.522{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=756A6BC23FF46309EEA598BCCD279569,SHA256=6A4B9A252C534426898417A0BCB8BE2A7650B64F7EB35F0C38B911BBEB43794B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000624636Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:48.582{97C2ED32-0250-60B9-365D-00000000C501}44241240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624635Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:48.457{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0250-60B9-365D-00000000C501}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624634Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:48.457{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624633Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:48.457{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624632Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:48.457{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624631Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:48.457{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624630Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:48.457{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-0250-60B9-365D-00000000C501}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624629Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:48.457{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0250-60B9-365D-00000000C501}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000624628Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:48.458{97C2ED32-0250-60B9-365D-00000000C501}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000685128Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:43.590{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65131-false10.0.1.12-8000- 10341000x8000000000000000624656Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:49.801{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0251-60B9-385D-00000000C501}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624655Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:49.801{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624654Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:49.801{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624653Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:49.801{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624652Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:49.801{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624651Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:49.801{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-0251-60B9-385D-00000000C501}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624650Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:49.801{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0251-60B9-385D-00000000C501}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000624649Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:49.802{97C2ED32-0251-60B9-385D-00000000C501}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000624648Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:49.754{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5273AC86110A68C92652BBE1302607D6,SHA256=9C9847258BAE9A70F3F6BD72731B995C39F9EE3708E3DDDF4AE68F2FB3280DE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685131Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:49.554{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5174F3DC83342551E9570B232878B5B1,SHA256=47C238AC4ADED981E00CD1D51C174342E6C1B973FEFA502D3169E7441DFD4A97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000624647Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:49.254{97C2ED32-0251-60B9-375D-00000000C501}5780832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624646Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:49.129{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0251-60B9-375D-00000000C501}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624645Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:49.129{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624644Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:49.129{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624643Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:49.129{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624642Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:49.129{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624641Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:49.129{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-0251-60B9-375D-00000000C501}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624640Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:49.129{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0251-60B9-375D-00000000C501}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000624639Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:49.130{97C2ED32-0251-60B9-375D-00000000C501}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000685130Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:48.991{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E8150AA9A95760FE518706AB654CA38,SHA256=F1AF3F332933F823752DA2F9D0C5809D7BA3408C82F9CF3401E16E10AC870092,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685133Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:50.772{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6CA3F4D075D6C623F7EC1060DCB4D84,SHA256=715252A233111CF6F32C3DE8247B74FA8B44C78B2693272E3DA12F219C498E87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624666Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:50.754{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F3A6277F4F1213534071A78994E8B54,SHA256=0899AD1604EEE3EECEC556D993AC973ECF1B838A8CE399F1F8058450C39CA9C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000624665Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:50.473{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0252-60B9-395D-00000000C501}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624664Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:50.473{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624663Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:50.473{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624662Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:50.473{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624661Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:50.473{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624660Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:50.473{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-0252-60B9-395D-00000000C501}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624659Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:50.473{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0252-60B9-395D-00000000C501}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000624658Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:50.474{97C2ED32-0252-60B9-395D-00000000C501}1216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000624657Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:50.207{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=754875216D7EDFCAC2CF76BAA79015D3,SHA256=7143D85065FC0FC0822492E9ECE2FCDD61BDDA3122A37206723ABFD049B52200,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685132Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:50.257{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=307D4B19121083626EB042D154B251F1,SHA256=9F68464BB94F56B417E4ACAC9F4D1C883B7A09D9E27060625E8CE4EA9690E2A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624687Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:48.973{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51664-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000624686Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:51.785{97C2ED32-0253-60B9-3B5D-00000000C501}46763832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000624685Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:51.770{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85BA89859C56DD4B39D10953307E931D,SHA256=BDAB592B0DF956EB364CB5186434FB141CE08D526E9773B5157AF22C694BDC41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685135Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:51.788{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C53556E47CD70898690555C4406119F7,SHA256=A883EAA3FFAE7E96EEAA9718BB7491618BC4F11C65DE272CDE93A3778298A6AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685134Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:51.351{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50C75E03CB6A8531043759DE070CDA62,SHA256=E330AC5A5B64CCB4095EA95F5419208D1960667715D85BC1ACA100A0384F28B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624684Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:51.692{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93EFCF13144CF1AFE408C5038D768968,SHA256=E0696A671AF6C3CE1E07220A90793B78385DF8A750EE81D9B3F992F67E0D64E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000624683Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:51.660{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0253-60B9-3B5D-00000000C501}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624682Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:51.660{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624681Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:51.660{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624680Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:51.660{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624679Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:51.660{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624678Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:51.660{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-0253-60B9-3B5D-00000000C501}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624677Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:51.660{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0253-60B9-3B5D-00000000C501}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000624676Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:51.661{97C2ED32-0253-60B9-3B5D-00000000C501}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000624675Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:51.270{97C2ED32-0253-60B9-3A5D-00000000C501}41324292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624674Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:51.145{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0253-60B9-3A5D-00000000C501}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624673Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:51.145{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624672Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:51.145{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624671Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:51.145{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624670Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:51.145{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624669Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:51.145{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-0253-60B9-3A5D-00000000C501}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624668Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:51.145{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0253-60B9-3A5D-00000000C501}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000624667Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:51.145{97C2ED32-0253-60B9-3A5D-00000000C501}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000624689Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:52.801{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B046C7A763A3FE9244E3C95466E64C,SHA256=77FEA24B28A02AEAFE13DB6E4D831C607D00795D1913F70D756E0F7804A7A87F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624688Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:52.801{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFEE13589C468E5D1F7CCDDC7CD0AE12,SHA256=4E6957B13988ECD471BEA69B15535ED32F062E09B72761B6B7284B96EA3975F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685137Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:52.835{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B67ED56E31454DBF8AE3D65541EFDA5,SHA256=F9669D8207943A41B672FB4860C31F08FB38CEDE7490CDCB1194332F34E0521F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685136Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:52.601{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8A08B1132FBC5A2E4FA379FA434EA95,SHA256=76BA8F4BCC3780746AABC104EAFD74A052E340DA77AB654D0CF1B6C9044DCA5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685140Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:53.851{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D61B695A35FC2775BAE353C56D3B83C8,SHA256=16AA0B87739E75A704FC6E880D999AAEFC3DD2427B60E6CD3872874A879DF530,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624690Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:53.832{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=386318E484862797952B4777F400086F,SHA256=0BC0537121CC1316B9B4B6627D49546A059BFE0F850DA0FABE914CEA6A16EB61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685139Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:53.757{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B91AFFFE0422F96DAF5DC3F11C0EF400,SHA256=001F6DD9FBC138878BC4196B84763CCCC1370DD5819B8A5A0F95325072C2DC86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685138Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:48.606{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65132-false10.0.1.12-8000- 23542300x8000000000000000685141Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:54.866{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BD173F6807DFEE31789AE3F27D3DFA3,SHA256=368578034B670D51E465A3338FFCE91F52A11598511717FC801E317B71BA3C3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624691Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:54.848{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36D6356D266D5581A1D7BDB295A6AB1E,SHA256=753CE6DE996DF7DE89EF7C91C6DE3885AC61DD0D6A125E35FCF39BBE90616466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685143Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:55.913{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EB8DD81689795F99C4D66F0426DC7FB,SHA256=2E481528CAB37C374A9E526936A8A950EC6F9C4B28BF4091C7260F1DBE65A083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624692Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:55.848{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EECE4581B4E9CABA011DCDAFE95FE69C,SHA256=23B52A7BEE3248BEF57658692E9C0623273D3D4338F9E91FB93666C7575CF0A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685142Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:55.038{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB3C37B3AB31B31CA9DD3C4A8321C47A,SHA256=968288DA71163084C04B59BC1A4D8420A59E8D73D0BFA2F2EB28EE9429C3FAD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624694Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:56.863{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CE177BB5CF613832426F9F2C5358618,SHA256=85BA3E07E4D9E0718DA6A03D051CFD859A8592843BD49A3BCB3248E51B58B1A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685144Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:56.194{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB54B90E72C4B21DC343ECC1DD8363B3,SHA256=245F4849287D5E7496E555918E4FC0CBBD7449D910010612C62E2A68D11DFF8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624693Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:56.223{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D9E5ACAE3877D6E416DDBC1721DDF46,SHA256=4B57D84AFA35DD5C4D79FB74055CA46D701E11EBF7B20B1AC295126051A18842,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624695Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:57.879{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9751C9138F39D522938D26F525739D5,SHA256=2041526554CEFE7C1443DFF8B026B50F51939B320C307B7213EA3CCADD51B946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685146Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:57.335{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=340159B94186C47014245A550367D614,SHA256=DB45003EF88EA7C5E818FC833AFCFDD447A8D871990924F8D55131D537774A2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685145Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:57.147{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=194C6B05ABC849134B2DCEAD9F57382A,SHA256=A592CE5C4BA216CF422218756692C7D94CC4A063B85B2CADF4EFB626B4108460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624697Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:58.895{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4901A5521C629DF0CF9551ADBFF6BBF7,SHA256=AE3383CC230340A2E6B2841BB5F6EE13B9D2B74BA4E5B94E02E519A759C44D95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685149Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:58.616{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31381C34CF5AE056CD792B1BD4BFF715,SHA256=502B812B0D8ECB4A1C171F6F01D9A06594290699E72592B4D2D05A7B0B317447,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685148Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:54.512{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65133-false10.0.1.12-8000- 23542300x8000000000000000685147Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:58.210{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=341DAF5CF890B238EAF326A70F9D65B1,SHA256=F416104C34E936934889C940A2C32CEC8881ADC529EA4CD0168D708CC78373BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624696Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:54.067{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51665-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624698Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:59.895{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=296B4915838F751D1E656FD06BBACCBB,SHA256=EAB51645125C13F36B679D37A86E3D62EE02135C6338383CFF4E7B556372E619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685151Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:59.647{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F72202100EB3D0C0CD65780C031DF41E,SHA256=8CA6DAA65CF3DB604CBC7F01EDBC502B481B0234859C3311DA36773D442BC2DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685150Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:59.226{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0852DC1ECA9844E2E9AA8B38E3A4425,SHA256=B68F2A235A6CB1E0555F97587E2A87D403ABFAF3CC76DD4E8A0292853BEA4882,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624700Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:00.895{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E1A851043B1D8D2AB6FF4D2C525896,SHA256=AD703752932A1E4FD5701C53DB296A4FE948F26CE100DA4BDF1F3B206CB76002,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685153Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:00.663{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59B07341804F031CA9BACCE3B00062C4,SHA256=4FA6E492FC7B2548643B5FB4186597F09910AAD546444DAA91AC9F532826F627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685152Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:00.241{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=381A1FD76D875A8CB3DEEB2670D8D953,SHA256=5077DD6D156B615069BEB3E8726C4A2ED6779A761E37A20D817BE8DF6899460E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624699Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:00.676{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624703Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:01.910{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEA48F57CF0F8B20FB792DBD786D1E01,SHA256=15300F4CCD0761F0CC39EAA83E86E3AEC12242269407C2DEF7A986A0CBE0329D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685155Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:01.960{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CD4B59E04D07ACED25CEAEDBA7E952E,SHA256=9765FCCAC15F29100A27CBB059225009A0AA0F575DF313DA76DC81EA94B5F6AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685154Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:01.272{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD64EB6E27233D0FF5672BC35C2BB0B,SHA256=87FE7726B98414D7A1784A77447B059EE3D80F5813259C5B16E83A32C58C8545,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624702Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:01.738{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0124FA1169B52CC3B5288109A3813E3E,SHA256=A75507B775247F67A2F468ACA93B76C5CA0604720F1C685DE212023B08D8EBB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624701Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:01.738{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AC52F6DD474914E965E0B531D0BCAB2,SHA256=B90BD3303E891A9A97BD6F7A4D3797CB1722065ECD745A93C7FF1A8997B89505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624707Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:02.923{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC22EB93C5EC8CE73DF40F0750BCA76A,SHA256=EDF0ADAAECD9C72BC5395C36C8023E530EC77768AABD2E0F32BAE630B581DB52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685156Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:02.302{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F3CC94D63F74713309E3B838850D6B0,SHA256=E5566511D4B741A908791FF5EEA3CB776763B59DB7BC5339D437013B43375B2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624706Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:00.082{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51667-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000624705Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:24:59.520{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51666-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000624704Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:02.876{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B419F3F6F87224FBAA720AD0097E4FA5,SHA256=565C50028149551C2ADAF7DD75731208737C48955743C06EBD8C448B9F8B9568,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624708Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:03.925{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD6630FBA6220EADF51E6AF191D9F7A9,SHA256=80880B962EE7D738EE28439C55E8E720A623C7E0CCE07735812A316B10C3E891,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685160Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:24:59.543{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65134-false10.0.1.12-8000- 23542300x8000000000000000685159Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:03.723{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685158Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:03.426{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17350B4580FB15CF5465807B6C072EE1,SHA256=9C487F1329B8362ADD997A8E5BD480F236A387C1592BF1D165F679B1034E319E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685157Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:03.036{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BEE254CF10C5425B210D8CC0D3DC6D4,SHA256=2C00D1B0A21A6A84BCE58DDA2637F80B273FA28135E36E1EA92C401B15421745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624709Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:04.973{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB6628116AD0F63E1F534C14B0E3776,SHA256=DF7743FEA63D8D13F41A4724C9F775255147C1C7D40BE34ADF139E2B572C2870,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685162Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:04.520{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAEAF02370CD8DAEEA9230AF8F613E1E,SHA256=3BA83C5126747FB0782966C422935E3FA27653B6E9803F39A657A55C7AD2E5DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685161Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:04.489{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E98D377A023E61878FF92B3127A2A01,SHA256=5F491E73E2561CBC3D4E262F09EC4D21CDDF6E101A00C208723C907A97B89B10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624710Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:05.975{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7B9A4FBC936E3A94CD5E07ED38C2DB6,SHA256=7C463BF45DFBC1695B9E01A27AF31964480144C0EFDE32242EAF9168C0B06E69,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685165Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:01.119{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65135-false10.0.1.12-8089- 23542300x8000000000000000685164Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:05.582{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC6D243CFB6D56C287F1501167354DF6,SHA256=B4B45E74B4C933FBBC1C9E5A1E1BA6F67244A51F2AD97796F2CE212DF59723B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685163Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:05.551{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F714A3C704C4FAF17F0DAC3A90897F59,SHA256=A902564EB4F60BAC049D64FEBDF72A088C4B36DD3658458E22C02719C5B2CF0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685167Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:06.754{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FA6F5A57A7DCB4083B757D9CE4D02F2,SHA256=0CC1740CFEB3E0370C9BD4A473BB879F3F6489DF82A68C55AC3A9D005BA98D52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685166Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:06.582{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A089C6E45EC8DEAAEAB773A76D6CFD58,SHA256=5D529B422FADA6CD7E164724F1C0FA75B8C969476F5884127D19BF21E3A53655,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685170Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:03.197{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local65136-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000685169Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:03.197{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local65136-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000685168Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:07.599{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CD6CE63F96B1337A266584B6446E86E,SHA256=304B3F5BBFD60CA4EAD38FAB20CF4C4DFF84570D46447CDA679214C8A4E24BB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624711Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:07.006{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E3B750F5C490C0C01497DA553353B4C,SHA256=F48DF8ADB122BF04B55F2DA9F408104C9586A544ABC3BFD3FFC3A438DB847283,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685173Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:04.651{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65137-false10.0.1.12-8000- 23542300x8000000000000000685172Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:08.611{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D44B83FDC0CDE5F46DAB11D7C3E7260D,SHA256=D3DD4236149E50E6B311397D9AA18F65FF43BDC5B93884095849A5E05764DE2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624715Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:08.272{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3E6043D632348EE9565BFDDF7344D84,SHA256=DD6FEBCF4075B8F0E03473341635EB313F351DAB1931E2C66D8CD4DC4798BF2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624714Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:08.272{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0124FA1169B52CC3B5288109A3813E3E,SHA256=A75507B775247F67A2F468ACA93B76C5CA0604720F1C685DE212023B08D8EBB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000624713Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:08.225{97C2ED32-772F-60B6-0D00-00000000C501}788716C:\Windows\system32\svchost.exe{97C2ED32-9D3E-60B6-7A08-00000000C501}3364C:\Windows\system32\ServerManager.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000624712Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:08.006{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D314E92C72BEF1DECD2F2C4CD8FE16AD,SHA256=936C95429712BE31D6BF8130371FCE242715223934692ACE3F29D4EB825248CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685171Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:08.033{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52C8D223287DA6A74E3B2D15E85CE71A,SHA256=23E59B54DD33A8CE5E682DDEADA01AAA9B7545AD1B99ECFD1EB35FB7BFE75C43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685175Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:09.615{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11E409A7C97E618B44FFBB66E13383F9,SHA256=7DDABB998B1C4B19DD960FA73A6C2A52B6396287A768E6D4681FB33AFD0A9EBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624717Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:06.084{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51668-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624716Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:09.006{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F88DE1DA6787DBC2A1CE6722E12AAC4,SHA256=FE264C657A000FA573EFF5B36244B7C45C123FB199DE1FFE6E8C2FFEE6416178,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685174Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:09.083{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB8BF9D96996315D71082374F229E8A9,SHA256=1F548F3D8E115A7E8890F80F1E4BE9AF84A7C234B67F62A26E1BDC797E47DB34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685177Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:10.646{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=706B4E5385163B8EBB8A5962561ACD62,SHA256=EC8B9CB88260306EC81E468219E5E0C749ABA016A8F65095EAF8DDE0F2522ADC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624718Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:10.037{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61A36434D6FD323BE76EDF4919E18253,SHA256=B47A89384D8452DDD29AC0DFEC3D5081BBB6EE0909932894AFD666F08E63606D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685176Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:10.146{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=093C3837C7CD782B92BEF67E7B20050D,SHA256=0780C1B09DC0DE0F5F127FF52ED47FCC691B6A391A2138C9489BA47E1FE3E16A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685179Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:11.661{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=879CD678391D81BD8A3166872BAD4A29,SHA256=24FFAEAAFFB2E25D808F04E492AC2EFEF8EDC778DD0F924E792DB246113F244C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624719Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:11.069{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36C8BCC47123A7D075E790348FF22F6C,SHA256=98C7A2692F04A3FF7787C528C9550261A1F5A52AA185B659D342180B0D6C4497,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685178Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:11.287{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15D4FB30D68A193839B73535782DF54A,SHA256=7AC70C44935180A6ED6B3E3CA324E8414C73389B16D35D71E4F075493E1E5706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685181Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:12.677{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5526D1C45D5181D9349D139F57417E85,SHA256=DC9BFFE80DFEE2447F489C8F3BDA23B1C3EB8AB7B6A7742D239D9613BAA2443F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624720Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:12.069{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8316DF9D4E0231FE13066C6ECD430AD,SHA256=041F49BF7D105C924DCBD8E094C90C3257BF503F4201ADE5E48215CE9D7B101E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685180Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:12.536{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00E62384E7109234CC47A1CB798C811B,SHA256=BDB52EC48C27A6458B9697D0FB46854F86D2D7D345AF7EF4286E2BF70DFB11FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000685198Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:13.896{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-0269-60B9-D552-00000000C401}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685197Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:13.880{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685196Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:13.880{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685195Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:13.880{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685194Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:13.880{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685193Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:13.880{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-0269-60B9-D552-00000000C401}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000685192Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:13.880{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-0269-60B9-D552-00000000C401}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000685191Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:13.881{D419E45B-0269-60B9-D552-00000000C401}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000685190Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:13.693{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CCC13104CECDF1A71635B0FDF8789DA,SHA256=5EB70DAAD3D49345BF108998E4C2D6E2C48291B7A0EA2A008760F59729BE441C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624721Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:13.131{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88285F301DA1D50405B98865926D93BC,SHA256=66CDE279EC1A8253F7E630874A5E8A5A956C4ACFD978E915C1ABA39EBB8AA7BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000685189Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:13.208{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-0269-60B9-D452-00000000C401}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685188Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:13.208{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685187Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:13.208{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685186Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:13.208{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685185Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:13.208{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685184Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:13.208{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-0269-60B9-D452-00000000C401}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000685183Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:13.208{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-0269-60B9-D452-00000000C401}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000685182Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:13.194{D419E45B-0269-60B9-D452-00000000C401}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000685211Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:10.573{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65138-false10.0.1.12-8000- 23542300x8000000000000000685210Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:14.708{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEE7614285CDB6C365B432AAFFE4AC00,SHA256=2BCF394FC17F1CF075766D68B9F603A8540F86B8FAF0581198B255A59F7D5351,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000685209Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:14.708{D419E45B-026A-60B9-D652-00000000C401}9605076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000624724Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:14.272{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2DDB66375A67D52D89F30DED4EF4A4A,SHA256=E0E0B4F7A29250080F5D86820F302EBBB443A78195425C116811540EEEE78DC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624723Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:14.272{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3E6043D632348EE9565BFDDF7344D84,SHA256=DD6FEBCF4075B8F0E03473341635EB313F351DAB1931E2C66D8CD4DC4798BF2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624722Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:14.162{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07951EEA2EAD7F022FF70DEE22D69689,SHA256=7CD3702E35BDAAA0EB8336C1248323F512F14800FE8A050889942009839F7987,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000685208Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:14.552{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-026A-60B9-D652-00000000C401}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685207Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:14.552{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685206Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:14.552{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685205Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:14.552{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685204Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:14.552{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685203Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:14.552{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-026A-60B9-D652-00000000C401}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000685202Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:14.552{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-026A-60B9-D652-00000000C401}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000685201Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:14.553{D419E45B-026A-60B9-D652-00000000C401}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000685200Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:14.068{D419E45B-0269-60B9-D552-00000000C401}40327152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000685199Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:14.021{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=500ADF8A7C6A67E24509FFE994C44935,SHA256=071424B942E2686FC20DCFADC96BF1B5CD7DBF441F93149DD36478E93B683ADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685230Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:15.833{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D298AE14B23C39422DCC2BBEC4322803,SHA256=B965780D9FEBE959C0436F2CBEA98F564305CD47E1A80E61B03E7F1A86B11604,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624726Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:11.975{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51669-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624725Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:15.194{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=150AD6F53B3A8627D4105D5A98D6523C,SHA256=6009A3656B84AD025C5417EBDB908795B755CB13CB6F70BBA0CE4439CB3F6987,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000685229Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:15.786{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-026B-60B9-D852-00000000C401}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685228Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:15.771{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685227Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:15.771{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685226Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:15.771{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685225Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:15.771{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685224Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:15.771{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-026B-60B9-D852-00000000C401}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000685223Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:15.771{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-026B-60B9-D852-00000000C401}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000685222Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:15.772{D419E45B-026B-60B9-D852-00000000C401}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000685221Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:15.380{D419E45B-026B-60B9-D752-00000000C401}41162576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685220Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:15.177{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-026B-60B9-D752-00000000C401}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685219Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:15.161{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685218Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:15.161{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685217Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:15.161{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685216Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:15.161{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685215Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:15.161{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-026B-60B9-D752-00000000C401}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000685214Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:15.161{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-026B-60B9-D752-00000000C401}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000685213Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:15.164{D419E45B-026B-60B9-D752-00000000C401}4116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000685212Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:15.161{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CE5CE6E7B33907FD3F794D5DD941A8D,SHA256=E89F8FE62534CC5680D30FDF1C62E2B4409835B00D4604BC05EA232F9DFCA210,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685249Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:16.865{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B982828C71DC5503405725FF8D151824,SHA256=49F8D608471D2E451A4C9B4115D5FB735BE281A001895308D61678B2C5F84A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624727Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:16.193{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B6EAF18E4D042685422B73A0B4B44B,SHA256=14FD2543CCEBB2E44633CF4C1CA34D7EC15CF73FD121A83B6331C8A02CE70C22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000685248Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:16.802{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-026C-60B9-DA52-00000000C401}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685247Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:16.787{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685246Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:16.787{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685245Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:16.787{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685244Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:16.787{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685243Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:16.787{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-026C-60B9-DA52-00000000C401}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000685242Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:16.787{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-026C-60B9-DA52-00000000C401}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000685241Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:16.787{D419E45B-026C-60B9-DA52-00000000C401}6136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000685240Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:16.505{D419E45B-026C-60B9-D952-00000000C401}61166516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685239Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:16.302{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-026C-60B9-D952-00000000C401}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685238Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:16.302{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685237Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:16.302{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685236Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:16.287{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685235Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:16.287{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685234Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:16.287{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-026C-60B9-D952-00000000C401}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000685233Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:16.287{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-026C-60B9-D952-00000000C401}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000685232Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:16.290{D419E45B-026C-60B9-D952-00000000C401}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000685231Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:16.287{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18C0C9EB54EBD237903311EBC08FFB42,SHA256=D675B9D7BD57D3FE9001A8A1A726E98C14365BDE272E9928DC031148793DCAE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685251Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:17.958{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48AF54C13144DF51E3BF29797125EC36,SHA256=94E92A97E5428E478A946C09DFB0CE7E2AE0D2132FB2C2CAE80B3C5B549BEA80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624728Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:17.194{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4628BEA9E74D33EF95C7518A55D7D799,SHA256=C76C28395F6404490BD9B12BFA9DC60A5B679A1F58A975FB8C62546020A52AE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685250Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:17.536{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D380F7DAA8A112877C4F980102F336A,SHA256=24E1F260497242EFFF684C1422BFAFA51907D78FEA418BCF44E6DA8F06ECC951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685253Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:18.974{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65A38872A94951B3C6FE909A2D7131CD,SHA256=C03169851B0E2AA72D341C602589AE6E226C6D1F50EAE022AC6763BC178CF979,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624729Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:18.209{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4676917BD650161A878E5941BE37EBB,SHA256=14E816DC7C1419DFFBBF44689938C69984680C20D138432F2F5A788A04E2E20F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685252Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:18.787{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=666A300F8670D19B0C4ED6BD86935CBF,SHA256=E2146E5191A36F755C41550267131DDBA5FBB600BC50FC5F7349053D218E47C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685254Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:19.990{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B715CCEE0AFD47B14A730B010F8CC49A,SHA256=5E950D9E34FF5959F9FE89B43B233C4C9566CCFC3436A970E511BF6BFC35FFFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624731Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:19.225{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CE0BC3AEF0A06298D2EC2796552EA81,SHA256=68BB8C15BA73D119A7BE63B9C678EB9509CCC7ADB0944BF70FEEF86515D81F8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624730Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:19.209{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2DDB66375A67D52D89F30DED4EF4A4A,SHA256=E0E0B4F7A29250080F5D86820F302EBBB443A78195425C116811540EEEE78DC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624733Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:20.225{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E2B5676C1DACEB2C1CE656F203E8915,SHA256=A2CB1E78E75B6BB87F17BB8C57A299723B1457DAAEA8810C6D93316F679FFA93,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685256Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:15.635{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65139-false10.0.1.12-8000- 23542300x8000000000000000685255Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:20.052{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=488193749B27B52933A0DE0684453A23,SHA256=8AC0F738453963C7BA080C4B73924B6294FBA7E57EE34F9714D825EFB1A9C009,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624732Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:17.038{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51670-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624734Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:21.225{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A8F57119396C7C8CB9BD2D2AA42EF83,SHA256=7057FC6D84AF93348A4976444C819E95E741E2367235F255DD32CBA589221945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685258Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:21.177{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C181C14F6520D103B22792E6637C6FE,SHA256=F12C32C06A86F84CCBB9CB57D8B6F8BEF9F9BD3F46CC5F66930475DA8E2BB2E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685257Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:21.005{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74EDCBCEB3468E97A14E34AC03F14C9B,SHA256=0B576A4366C9BF75A538447CB5632363D259FEA892E6688FE18AB1904008D452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685260Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:22.330{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35B00A64634F6DE37D0FAC730ECA965F,SHA256=3A05562A2E0DB7DE9A0785D48AB98CF6EFCBE3EF21F776AE4560A53FB8862802,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685259Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:22.021{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9878BA56BB9EEE06018BDCD74744B68,SHA256=5F657E630C33F3E6DAA8014702C5D51DAFADDCA265D0245B08C6954DE90A696A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624735Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:22.234{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA470A2EE356B1BF75E8B7B9B18F8ADC,SHA256=F3C86E390CD81EBDC1A5DB790CC891FB4DC859E8E1D5FF778A7C19AF78157106,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624736Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:23.296{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EFB0E29E45C704D9183CEF0859178E2,SHA256=58372129B6426CF0F8D8D0E5FE25312AEF50B4539C3DEB7DD4339671472275F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685262Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:23.440{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BEA843279DA0FFBED4F470564A12088,SHA256=9C2D1A67FD798E511BDF7D7A9AD6A14A2B2332C40316E98E1C0193E585414F15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685261Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:23.049{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1174F61F8886FB9548A73501AE84FF4,SHA256=1589EAFD97AAAE3830325402B633DC14A77D4C0CC08F1742D8BD2084477D039C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624737Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:24.312{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB27A4AD9E66F7D16226CD84F673BDD1,SHA256=466445236429A526A6058A98BF9D838B8D3F660C03F8EA592FB6EA17357BF7B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685264Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:24.596{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7F34257B674899EF7BFEE5362F078F5,SHA256=C3612E9A12E782D1853D915825B62F6C99EC31B77D513A987E923D25C9872E0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685263Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:24.205{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B72E4462AFD0350A2A11FA023A24724,SHA256=6FE81F9F78E65117A4043719CC914CB20102C84CA00B6F1293B67CC3ADC0FE0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624741Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:23.015{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51671-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624740Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:25.327{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D723A870398C7550BFF35B857017B83B,SHA256=8260212796129F9A173ABAA7A53164FFE48C4D2E415523DA46284836ABB70799,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685266Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:25.846{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CE847AD178A690D7B263D0EAABD3597,SHA256=109A4C2BB68E5F4E0FD54F40FD0659DF90B4F23D445630A83F6F53FB1D120A9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685265Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:25.284{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0B940F8C71C654A70E5B18EAA2B892,SHA256=37BB1A5376EBB7B19494301ACFAA2AA2C71BD6096AD80AF2D99EC639CE668B93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624739Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:25.171{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B0B9CE5EC42C4F57E023CFD09275DA0,SHA256=70BB9347327DFDD78E6B59B2B538BF2659DC6174DF2C59759E23ACA47DE32C8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624738Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:25.171{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5D8A50356E486717D3AC1F5C30C185D,SHA256=D5A1B5ECCF4D7CB316A1F2650A1A4E6D1D8B538AEDAA8DA52E2954A9A1C3B057,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685268Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:26.315{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68C12832D7757B95125B6E24FFDA4CCE,SHA256=8DF4D0F2E2E0F629EC5A60123248948EE12D54AB449BF4D397096A2DF4FDA0EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624742Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:26.328{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D8A12A472201E54B7D60EAD31CC1A3B,SHA256=D0372533182736C522AF81DE3C27E55793C1C47DD7C255D1F15C18E81FB2C831,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685267Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:21.554{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65140-false10.0.1.12-8000- 23542300x8000000000000000685270Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:27.330{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03EBFB29D5D85FF91CC5ADAD9B110901,SHA256=1A2F8AB5A064EDE09A3BCD06259A70BAC02F1A659D52873380A09FA7F34F4841,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624743Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:27.343{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEF5840035769F1D62613E9D3FB914CE,SHA256=B233B8CE11F07E1D521CD3D0D571B20A2CCE86A450AC7B39CBDFC2266B5F571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685269Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:27.002{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D3B2A8F846B72F3C0DF1F579ADEBD18,SHA256=762C65AB1C7BD3DFABF557025178BFB41C8BB1652E1B5415D44FAFF02922B89E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685272Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:28.549{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1816A6F5BF76D23F05E94A356AD60854,SHA256=C170BFE0EB0A474DF0E3959BC73151845CCF378A8E3BA5511AC9516FE5158E04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624744Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:28.343{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35620B05B926DD0DEDC93D5244273001,SHA256=839EA986D14D15195A212729440A64B2AD981BDDC84DDCBC7B47C32F4C3BD1EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685271Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:28.049{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79BB23B20D02ECB6C1B47F7D628CEBD6,SHA256=4204B5B5207D7EADED428255834E43F80BC2E083F795E6EF149FCD9C8D8DB27D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685274Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:29.659{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4CCEFDDB0F006B3A2961E53C6CA72C5,SHA256=D2CE665016D0F48C4ACF39E5F96FA01E4460242FA98F1EAE779A19F36B382601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685273Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:29.565{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=123BA3C2461A84A897F1DC09A613C5C3,SHA256=A88DFF4B8B0D5079A9ADEC187BE656E77D1CC85EAC2D69777D34C70CD745DEA3,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000624765Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:29.437{97C2ED32-0279-60B9-3C5D-00000000C501}5932C:\Windows\System32\Configure-SMRemoting.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000624764Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:29.421{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-0279-60B9-3C5D-00000000C501}5932C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624763Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:29.421{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-0279-60B9-3C5D-00000000C501}5932C:\Windows\system32\Configure-SMRemoting.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624762Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:29.421{97C2ED32-7730-60B6-1600-00000000C501}12042840C:\Windows\system32\svchost.exe{97C2ED32-0279-60B9-3C5D-00000000C501}5932C:\Windows\system32\Configure-SMRemoting.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624761Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:29.421{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-0279-60B9-3C5D-00000000C501}5932C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624760Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:29.406{97C2ED32-7730-60B6-1600-00000000C501}12042840C:\Windows\system32\svchost.exe{97C2ED32-0279-60B9-3D5D-00000000C501}1996C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624759Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:29.406{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-0279-60B9-3D5D-00000000C501}1996C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624758Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:29.406{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624757Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:29.406{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624756Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:29.406{97C2ED32-772F-60B6-0B00-00000000C501}6283716C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624755Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:29.406{97C2ED32-0279-60B9-3D5D-00000000C501}19965292C:\Windows\system32\conhost.exe{97C2ED32-0279-60B9-3C5D-00000000C501}5932C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624754Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:29.390{97C2ED32-9094-60B6-BC06-00000000C501}9443580C:\Windows\system32\csrss.exe{97C2ED32-0279-60B9-3D5D-00000000C501}1996C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624753Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:29.390{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624752Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:29.390{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624751Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:29.390{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624750Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:29.390{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624749Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:29.390{97C2ED32-9094-60B6-BC06-00000000C501}9441324C:\Windows\system32\csrss.exe{97C2ED32-0279-60B9-3C5D-00000000C501}5932C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624748Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:29.390{97C2ED32-9D3E-60B6-7A08-00000000C501}33642984C:\Windows\system32\ServerManager.exe{97C2ED32-0279-60B9-3C5D-00000000C501}5932C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1459ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1454f0|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+fa3761|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58dd95|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+559c06|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+558e46|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+70e8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+c11a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+7ce0 154100x8000000000000000624747Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:29.389{97C2ED32-0279-60B9-3C5D-00000000C501}5932C:\Windows\System32\Configure-SMRemoting.exe10.0.14393.0 (rs1_release.160715-1616)Configure-SMRemotingMicrosoft® Windows® Operating SystemMicrosoft CorporationConfigure-SMRemoting.EXE"Configure-SMRemoting.exe" -GETC:\Windows\system32\WIN-HOST-236\Administrator{97C2ED32-9095-60B6-4298-3A0000000000}0x3a98422HighMD5=59EF03A3CE316E02EC6C916E86715282,SHA256=E26FE2AD8452293B4B1E957B21371693996941A4D3D2371E7E51A35892C59418,IMPHASH=C13E4B07CF35D56AB40B9BAC4947EC02{97C2ED32-9D3E-60B6-7A08-00000000C501}3364C:\Windows\System32\ServerManager.exe"C:\Windows\system32\ServerManager.exe" 23542300x8000000000000000624746Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:29.343{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=CD5954A352A88854F131E61DB9910DC6,SHA256=3D1A8F7F9543B46658E84731B7B2CA0987BAC2E26EB3465141DA1C8DFF749EAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624745Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:29.343{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FD0AADF944AF890493B48DFE7642D16,SHA256=320A184E118FF45C3F9BD62317F4D223C1936E072D62BDEC5CD86B204F211F67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685276Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:30.721{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=143B6C30F5AEAA22D76409F3D727383E,SHA256=A7F270D59921EE94BDA3D3133AAFAAAF35DCA72C0B7EEA4DD5C8C6411A701106,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685275Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:30.612{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E445AC16D02F91D14E474B1960BEA44B,SHA256=443FFEA7DF5F662AFF8B4C791E01947951C7DBB5BA16C68A435E937993F63215,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624781Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:28.303{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local51672-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 354300x8000000000000000624780Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:28.303{97C2ED32-0279-60B9-3C5D-00000000C501}5932<unknown process>WIN-HOST-236\Administratortcptruetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local51672-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 10341000x8000000000000000624779Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:30.437{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624778Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:30.437{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624777Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:30.437{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624776Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:30.437{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624775Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:30.437{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624774Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:30.437{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624773Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:30.437{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624772Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:30.437{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624771Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:30.437{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000624770Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:30.421{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E48D8FA4DE5E7619F923BBDAB3EF85CC,SHA256=0B73D40C92096C7AB0DD7CB782D03FA1A9060FB4CBE9AC1D3A55ED728E54E956,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624769Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:30.421{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B0B9CE5EC42C4F57E023CFD09275DA0,SHA256=70BB9347327DFDD78E6B59B2B538BF2659DC6174DF2C59759E23ACA47DE32C8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624768Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:30.421{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0E802D9E51217A998A1EC923DA72344B,SHA256=527053FF4E0AE540AEF65A8756F9B235465C3EFA538AB6186DCFE4D58F6A379B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624767Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:30.421{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=57568D9C6A215E9C4C65D820800B7B81,SHA256=D478E938CCDB3154601460972D978FE98FDBEAA5D53024A71652621DB4BF022F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624766Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:30.359{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9171C8375C519899915A1FA6DC5EA52C,SHA256=FADCAF9C54ACF554BA3262603AA06E2F697B94CB5F13BEAF6DB92471E3119594,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685278Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:31.659{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AF6C169A9F2514CFEC429033C26C893,SHA256=431CE70F30D950A86E6FD41B907EDA40742B44EBDAE2BE749ED4C0BEDB2B7353,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624783Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:28.969{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51673-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624782Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:31.374{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8F775D0DA412262A0D2F2B9CEB76FDC,SHA256=D1879D03BC699A61915BAAA9D06DF629851AA5B8EF25E31FB748AE0D0A4B8F92,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685277Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:26.663{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65141-false10.0.1.12-8000- 23542300x8000000000000000685281Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:32.784{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECE839DF59ED616E06955A82FB42C678,SHA256=D69A3F21D0BAA551D1D2634862A917C58C63DC99749A6924FAF84B6E66F3C191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685280Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:32.784{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E5C9D34F0256D4C93DEEC8FDA5D3E4F6,SHA256=F56821834FD452F5226E4CF320F5B903B0C1499202E61BF86F06D29E9EDD7D3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624784Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:32.390{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75550C4F075DC15FDF2471DBD828CE53,SHA256=55618C95089A0C04A95F3D0EFD6CA2900AD933EA845404419F54E553A2EE1B68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685279Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:32.034{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16E63AD02005AF0700C809AC49551503,SHA256=A790EF636222633FCEFC7EBC0ABCA486F1FE3C20956E1BAE051144419E46C76E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685283Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:33.799{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54341F0EE2BC504462E6DB279E90204B,SHA256=24141316A53B7D25E067AC576955D1C795533747EB1BC25C08E11764259C8510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624785Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:33.406{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE668FA23DF231BDE05D95ABE1E09088,SHA256=4CE358ADBC8B1754C4E08DB6D86F20A5FA60597CC9D3EC4E24669AC5A9CB0408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685282Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:33.065{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9A393012B5A0EFADF14ECDFE3643571,SHA256=BF164D42FE109C5C3D06DC47BA534297EAFD9F848087A47AD9CC2542EB11C2BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685285Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:34.830{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72FD8F31C6DF375FE310AB37054C72B1,SHA256=975B9E7F254650DD77828D6AFDCFCD4D22F8F66DA8D20A5AF956C60DB2624876,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624786Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:34.406{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5249FBB85EBC61D652D75F1FC7BBD7C0,SHA256=C9C6FAAC8D5AA115288C5B415F51FCF39729654B80393877829FC41A6DBC42D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685284Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:34.205{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE83C2F24DE83AEC8D2508E23990C696,SHA256=F077BC1717A99262F8AE7BA43976FEA5F8F2E4FA6971479AF1FA9075C649FCDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685287Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:35.846{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D7C7B24766BD0C6FAA618EFC807EBFF,SHA256=4FD6216134DE46554879ECBB44A4DFA04554205CF08D78FF96801EC204C255DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624787Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:35.406{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EADE556EF14B3E1E0A04A5F3BB0DBFF6,SHA256=46944820D85A6F5A61BA8FEA6F0A90EF0433BC7A4B7FE2CD374089FF5B2E2054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685286Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:35.455{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6F47944B013D5F521E31FA675BF7FBF,SHA256=7C384231DEF5E432645E6A7F0E21A25B10DBEA8BAFC77D203937E56E0C32A7C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685290Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:36.862{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF932921021996AD34AE4244B864D2B,SHA256=0BFB30165523BB7AFA3A465AF6E1B1BF19B52B255C72BC5D200049F88DC00F0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624791Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:34.000{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51674-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624790Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:36.406{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B5E3FE694B051528B4DE80AE9326080,SHA256=9580F2CC9B082B24B0D13501598E01FC10A728FC31E40AD6277F911F867E61C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685289Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:36.705{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1791ED94CF0E5E5D7B649E076E5CC1F,SHA256=9A3985EADB3707612F66C56EFB0B9B6777A00C6751D658E6F0ACFD7DD4DFB735,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685288Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:32.476{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65142-false10.0.1.12-8000- 23542300x8000000000000000624789Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:36.359{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F34CEEEEF6F200E2B45D01DFDC75D55D,SHA256=7856C0AD0847C0923BD12E91760B03C08E2A55E583EAA29B5A75D393F45E8CE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624788Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:36.359{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E48D8FA4DE5E7619F923BBDAB3EF85CC,SHA256=0B73D40C92096C7AB0DD7CB782D03FA1A9060FB4CBE9AC1D3A55ED728E54E956,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685292Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:37.893{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C02F4E111D809EFB018B21583F56DBA,SHA256=885EA569B16055EAD296FA9C5CDECBE11EA157A5977127D8669039164B36836D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624793Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:37.421{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5F1056FDE49C5FCD91510CE60B68C49,SHA256=F00FAF58C249826CE385C66FD13F50CD51FD3A0F05912CBD0B86ADA1FB8A7EFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000685291Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:37.362{D419E45B-752F-60B6-0D00-00000000C401}9041968C:\Windows\system32\svchost.exe{D419E45B-78A3-60B6-B402-00000000C401}4592C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624792Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:37.359{97C2ED32-772F-60B6-0D00-00000000C501}7881872C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-C506-00000000C501}4092C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000685294Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:38.909{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC36F2069160EB0A93BB0C4F9750FB2,SHA256=B0D15FC599574B097499CA13C5D5822CAF2A218129AF9F631DB9DF946FAC7404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624794Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:38.437{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25AA8E5B27D5124996ACC375FA21CEB1,SHA256=ED3DD58B79AB8B89FD49A625AF20BF8ECF110F6B080DEADBB5BFDC09E837648E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685293Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:38.065{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DCA65C4DC7BE7487CC1F8960D050954,SHA256=0745F21D478D4A18717839E4E6473D700A0564FE4ABD55F2BF8937C1BAA7AC76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685296Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:39.924{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C161441F745A3A44E654A69CBF2408B3,SHA256=AE4BEEA2B7F8661BFC8DA040FBF63CB880DF6E4E69C56237514EA9A857FC35A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624795Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:39.437{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36B7DE92D57D01219A61DC462CB3E0BB,SHA256=13BE35CA6A6D8FC5AAA35FACF24EE263E3252FFCBF974C11722615CFE7E28BEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685295Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:39.221{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3A5B75C60856624834E8A886BAB9D55,SHA256=42C44FEA208EC9FE3F73ADD6795F4B5D29C8DA8C1380ED0D1AF7DE6A11F40C35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685298Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:40.987{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F61081AE0FD8FF1F728D5CA6AD51E74,SHA256=7BF66164A278638066C7A68B875D78F495EF28EB1A9AB2E3A1AD6B296207DF36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624796Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:40.453{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BC20675C03C1A25F72FD72A60F2F2C0,SHA256=D22981E801E830B14CB4275A61CE5292F3991A49928E9ED8774128DAB21F1F1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685297Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:40.346{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FFE39778DD0F3AFDB1DFCE57F576FF1,SHA256=AE2F307B21A4A809F4CA3B313EF98A58143DAB57CDB6A080F91CF6C7B1431788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624797Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:41.468{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C9D8BE44B125EB276C6A30134626419,SHA256=40A1DB746BC079786AA03936184065A37D1C116DC900D41B511B689F3EAEA3C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685299Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:41.471{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40F1003CC06D4A1C03E08B2B474A53E0,SHA256=5EB86325ECA191626AC90DF5B24D8AE98ABAA083C6D8BC0B4832B6B404B1C020,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624800Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:42.472{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C0A28BFF618931AC1CCC592C8802CE3,SHA256=1A2FD028C597FBFA99CAF35ECB135CD140B5280A2A31F9ADC765E83DDBB420BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685302Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:42.772{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD676EEF576083F49C10BA161D77B8AD,SHA256=616325D2DBA8515A039124518EE6F100781D25CEC3269C2BBD0F41439EEB845B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685301Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:38.523{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65143-false10.0.1.12-8000- 23542300x8000000000000000685300Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:42.034{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B28FB4A29D667ABC3BFD43DC6A015A9,SHA256=E2EEBB1F7AC0EC543CC02BBE9C805BCC3AC7638CA534ABDDE2F75FDC11BA9BF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624799Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:42.140{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=363C47554A72EAE1EEB35F9A8527ED89,SHA256=49AFB0C7E76CF27007995E6A28586DAB5E1265021014F4CC5C8F382B4CB70ACD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624798Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:42.140{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F34CEEEEF6F200E2B45D01DFDC75D55D,SHA256=7856C0AD0847C0923BD12E91760B03C08E2A55E583EAA29B5A75D393F45E8CE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624802Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:43.472{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE5D992BF2E4AB98D94FB07F0C6E0722,SHA256=F2B69780249832AB98C16E8427FD126683E72B20EF9F7082345191B1627CD5F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685303Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:43.038{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113FEC79124E2D60B002C25E8B822429,SHA256=6DD93FBF2F29AF0B8E726A9C6872B1B8D7CCA7C5A7205E7BB59006952B62C4C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624801Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:40.002{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51675-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624803Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:44.488{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7A1564C187F892A4DF5FC8840661508,SHA256=B47587F641D98769FFEC3D710292C78CCA95A256EA21A2C3F4C4D4126AF4F286,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685305Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:44.225{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36F4471D822174A3D50324C2C35F5F31,SHA256=1FF41A6E754A37C81A0E2771E8BCFAD771B035E1487992067241D823558A03BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685304Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:44.053{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=719AC068F755CBF8D0520AEEEB649B38,SHA256=0A2FFDE5DE30812C9E9E6B30677E04446E8C75F304CDA32D2D867E5060BB7E32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685307Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:45.366{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0843BD7D3718097E480D0B68C77AC420,SHA256=1EE8B5CEABC9701A59C25E9A8F3D6BD716F39D2A4FE2E3E7B86E21F0A8686175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685306Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:45.085{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B02E9C2E882ABC5DB42D62F75DA944D,SHA256=93323B8A270F5AC40BC26DEE7CAA2B8D0646D3571DB363D6B06F59B653209AE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624804Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:45.503{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2280B421EDEF3B98A4C5DD4E5D9DFC6,SHA256=7D2D8CF61C1DBE728DACC8AA4004FA2B24F6FD7E21C5A5DED4FB644D1DF55E92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624805Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:46.503{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DADB41FB729F39B7D89855B290735243,SHA256=7E79891DC5B40300FA0BB3E8837D4F1F477DD790CF59092A222F8925E61E9938,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685309Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:46.475{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78A08EC69ED0B0AE446B8868C42089F9,SHA256=36C89BF1E2E7AE10F1B190CB86EC28468C06E7E98386B76173D6AAF4EFBC1FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685308Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:46.100{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AE25793C59C349ED7DAFEA87FFC5709,SHA256=18BA957E2CF13203F3F17FD9114B4BF9E795A90EDBD503E4D0A57F3E254D23E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000624814Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:47.691{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-028B-60B9-3E5D-00000000C501}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624813Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:47.691{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624812Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:47.691{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624811Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:47.691{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624810Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:47.691{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624809Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:47.691{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-028B-60B9-3E5D-00000000C501}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624808Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:47.691{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-028B-60B9-3E5D-00000000C501}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000624807Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:47.692{97C2ED32-028B-60B9-3E5D-00000000C501}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000624806Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:47.519{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73B0249E0CB53304D80BC9616E0040E3,SHA256=04347B5D7265EBC12C7A6BC7FA3BE4CB529F359A30320DB8E6B97831CF3CB458,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685311Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:47.616{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4BD37AC6445B1AE0A8D22C01D80D795,SHA256=B16693CB89C06C0C2D23ABE228D214B7DA7FAC6BCE3F1809C7E9B8E720DA89A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685310Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:47.147{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BAD7B7A4C0E5EB7693D52C16A02BEB6,SHA256=C1C56D0F1F15D867D57D8D5660D7215604757FA7DF9E3325CB2A3E287B113382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624826Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:48.535{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE53268BF35FDEEAA184EB86F83258E,SHA256=2D1FB386CC9A801E0B198932D2B7FCCFF830E57A92269352658DCD7320209936,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685314Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:48.866{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73F34BE71D82099EBD63312167AAD562,SHA256=3636D5C0BF99497AA14105726649485BA621E3A225077D7BE6488A8E4DF50792,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685313Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:43.558{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65144-false10.0.1.12-8000- 23542300x8000000000000000685312Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:48.178{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9A7CAA57AC58BA74E34CA0CDF13C0A9,SHA256=81DDBB2941EE3561F5DDCAD1965C33E44F6A6E1B0A0CFBC7488A067E65119C35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000624825Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:48.503{97C2ED32-028C-60B9-3F5D-00000000C501}59685796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000624824Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:48.394{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08A1E70531459E8C83D83202083FDF27,SHA256=A48C5E30CCECC2410C530F3CAFF40DDEC50A6D1D7281ED17A3DDBFFE999B3806,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624823Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:48.394{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=363C47554A72EAE1EEB35F9A8527ED89,SHA256=49AFB0C7E76CF27007995E6A28586DAB5E1265021014F4CC5C8F382B4CB70ACD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000624822Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:48.363{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-028C-60B9-3F5D-00000000C501}5968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624821Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:48.363{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624820Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:48.363{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624819Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:48.363{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624818Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:48.363{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624817Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:48.363{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-028C-60B9-3F5D-00000000C501}5968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624816Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:48.363{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-028C-60B9-3F5D-00000000C501}5968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000624815Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:48.364{97C2ED32-028C-60B9-3F5D-00000000C501}5968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000624845Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:49.707{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-028D-60B9-415D-00000000C501}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624844Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:49.707{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624843Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:49.707{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624842Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:49.707{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624841Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:49.707{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624840Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:49.707{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-028D-60B9-415D-00000000C501}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624839Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:49.707{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-028D-60B9-415D-00000000C501}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000624838Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:49.707{97C2ED32-028D-60B9-415D-00000000C501}5872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000624837Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:49.535{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07CDB471E76AED019F28766DC3ADCBA7,SHA256=411AA4A34350ACF509553C535F1B98A6001E1F32851DDF99BC54DC694385790C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624836Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:49.535{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08A1E70531459E8C83D83202083FDF27,SHA256=A48C5E30CCECC2410C530F3CAFF40DDEC50A6D1D7281ED17A3DDBFFE999B3806,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685315Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:49.225{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE8BF014C801F490B552FC2C5DB59641,SHA256=08AAF637720842E7B62C19A5D77348647C2C53FF374797022C0D2FAA8BED5AA0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000624835Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:49.035{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-028D-60B9-405D-00000000C501}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624834Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:49.035{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624833Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:49.035{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624832Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:49.035{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624831Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:49.035{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624830Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:49.035{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-028D-60B9-405D-00000000C501}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624829Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:49.035{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-028D-60B9-405D-00000000C501}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000624828Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:49.035{97C2ED32-028D-60B9-405D-00000000C501}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000624827Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:46.020{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51676-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000624864Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:50.957{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-028E-60B9-435D-00000000C501}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624863Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:50.957{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624862Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:50.957{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624861Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:50.957{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624860Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:50.957{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624859Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:50.957{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-028E-60B9-435D-00000000C501}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624858Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:50.957{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-028E-60B9-435D-00000000C501}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000624857Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:50.959{97C2ED32-028E-60B9-435D-00000000C501}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000624856Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:50.707{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A97C6CDA94A523121445DCB665C18AD1,SHA256=B822AE6F26BCD3EEEC164639D93EDC41B8B0865B0E8C4FAFE0971F3C04F9F8F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624855Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:50.566{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2D69A9978EEEFA75653BB09042D8B57,SHA256=F964F555846E8EB81460BBC7BAE474BD7DA1F0F195B89A330AEC1D18DCCDC93F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685317Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:50.522{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C00AE0CF610FF2BA6CD51C1B340A7AF9,SHA256=78B7533F8CBB89F31C90675D76DB57945310028027407B6A12A1700267032587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685316Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:50.225{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBB04EF3FBF18124439AD572E9F20CCC,SHA256=68D140A846AD0BDBD0CC4366DEA7D40A216B86B0C9CC389B5F9226DBF6CFEE01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000624854Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:50.519{97C2ED32-028E-60B9-425D-00000000C501}41121504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624853Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:50.378{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-028E-60B9-425D-00000000C501}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624852Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:50.378{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624851Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:50.378{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624850Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:50.378{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624849Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:50.378{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624848Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:50.378{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-028E-60B9-425D-00000000C501}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624847Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:50.378{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-028E-60B9-425D-00000000C501}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000624846Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:50.379{97C2ED32-028E-60B9-425D-00000000C501}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000624876Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:51.972{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFE3DC874FCD8590FC17F70E7C8A0531,SHA256=D50CCF41B7E178DB16EF0E72506520582FC461760221BC81C7DF9973E812D890,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000624875Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:51.769{97C2ED32-028F-60B9-445D-00000000C501}4996800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624874Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:51.628{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-028F-60B9-445D-00000000C501}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624873Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:51.628{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624872Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:51.628{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624871Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:51.628{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624870Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:51.628{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624869Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:51.628{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-028F-60B9-445D-00000000C501}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000624868Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:51.628{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-028F-60B9-445D-00000000C501}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000624867Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:51.629{97C2ED32-028F-60B9-445D-00000000C501}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000624866Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:51.597{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=886EB1DD8D3F426627EE7BA816025992,SHA256=339A818141BEABDA53BCC9429C6B4EABF4D603F823CE583B765216D830F6DF24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685319Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:51.569{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=122FF37DBAD83DF1FC9FEF6A54AD7FC0,SHA256=6453E53922355D7EA4782CEC23A2833A3D4D4113BC4EB0A958422A0C8F35EFAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685318Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:51.257{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=124819B3CD443829EEF503043E12D318,SHA256=286CEE69421D5BB9413DE4343FC9302770F0C2AD603EA76EBD439CFBB1338D36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000624865Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:51.097{97C2ED32-028E-60B9-435D-00000000C501}28605636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000624877Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:52.613{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40FB5314FAC23B7A340469743BE0AB93,SHA256=5213630E403ACE03E2ED305396065F11B64CB4EB21D8B5184D1B17F11DB1A6BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685321Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:52.710{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE4AB0836CA94B3A228543CFE1C1AD24,SHA256=D1938948FE1B09D59C53AEFAC514E810000F65217CADFF538B5023050EA6D8E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685320Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:52.304{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B07FF5ED2D867835D9300F599116D480,SHA256=0C3BE49FC32386BE07951C0802948A3E3B089E197CFFE14BE54556E871A40FE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624878Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:53.628{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CCA38B381A28FE3B6F0DB16FE939A7E,SHA256=FCAD367301415F786AE7F0AA41135950E68BC55BC44D08D113EEBE0E2455ABB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685324Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:49.573{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65145-false10.0.1.12-8000- 23542300x8000000000000000685323Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:53.850{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87FA2FB5061E4D2FEB5EA502CE3A02CC,SHA256=03950DD5B8AF4F3F55AD115F795EE4A648F83BE7F9A620528DFCBAB2D8584F26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685322Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:53.382{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1130EA59CEC6F90D76F61EB10822832A,SHA256=D37870BDBD027A38F749FB9236359D40D50E6A40C5C3A4788E29AB9461B2DED0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624880Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:54.628{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A00360571B687BBCF2CB1806F9043D3F,SHA256=395F78EF09D52C2C71F412453038574F91F0702922144FE639686B1657FB2C58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685325Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:54.428{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06107CB0C54B3FBD356BE8A1A8D9B93F,SHA256=DCE6470EDA782BCC552CEB96699E2252F7E61F6F793F5181CB4D15D1EBA67248,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624879Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:54.035{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F290873240988EFF76D203666CD85A6,SHA256=A6278BE48768D32837648119E384C273120F239E5D7C7A113B6720D41315C79F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624882Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:55.660{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B9B87237A071937E0F0963BFCE1C4EC,SHA256=9B960809E2D5A8330F0182B6BC99A66B7E89C3688629AC1420DC55543E83F81D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685327Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:55.444{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABB5FFEEC3218242970A395A9A8742BA,SHA256=2BCE1EF9E9F08D83DCD71A5D1BDAD389532493F5B34BAEA7037FAEDB930AAF7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624881Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:51.879{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51677-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000685326Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:55.100{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23D3C247278C4AC6BBE2D1255856B21F,SHA256=4902B9C39DA99D39A0CE9C0E54838CE200B283257D7BFC9DA5302CFAAAA4A4CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624883Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:56.660{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA568B0519F052C0CF2CA65EA09A1B4D,SHA256=697CD1D2116CFE9FBE512785843DABE2230650E97F316740D2F246BDB22D9F8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685329Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:56.460{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19BB700D0F17657217FE36E28F7505AE,SHA256=4E3FA63FF9FC6C7811BD47F98EA16146A49053A70532D248656D6969A8BFB303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685328Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:56.335{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0C3746A2538135DD4BC150B123288D7,SHA256=017FA5F575532251DCB167DA0C9B74E5B5E468F8DE714B328C0CDE548A09A79C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685331Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:57.616{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F6092DACB2C70E14129DE665EA1BD95,SHA256=15E4611CB88836AA4C39D982A1A07F7592AE41C0792ADDF9911D7B9B7A537066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685330Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:57.507{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC2228572C10DF0AED2057D2758720F8,SHA256=52C44EF082876B0C8135E3AA7243812B2508A352E1977A359C986165C25E2761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624884Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:57.675{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E016E9315CDB6C5F461D1DD0BE161D0B,SHA256=390594A406EF06CE08463C9F2094EC63C8CAA58578E59977562D11C0BBD32BF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685334Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:54.605{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65146-false10.0.1.12-8000- 23542300x8000000000000000685333Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:58.772{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBE1F671DCA9A4A3B4701446B1A23561,SHA256=9814CFCE26F235AC7E5AB2AAC6571D75027E4D4B02F619D161FDAB685B1D2624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685332Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:58.522{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EEDBA6BC77B4F603E72CC3BD9FA6DF5,SHA256=9FF5F446661C6862EAD0FD88415F9E70152EC7AEC800BB52E54C923CAA104966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624885Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:58.675{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48357393BEA5F8CB935FD916385E57ED,SHA256=EA812F3B62CED9005B4E2C7C94F166CA278E02541632116B5FD5E9B4E254A73F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624888Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:59.706{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77F67E5D95B9AA8E82EF625816C8EBAC,SHA256=CF565D9B373EC7D8EF900358B8785C3A513E973F8D3EF4BF3B970B3A9135440A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685336Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:59.897{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EE3D4718F1768A0CB6ADC3200D4BC2D,SHA256=E754BAFA01D3DDCF1C7BBF83E5F2B3DB4CA79DBDF8A36242BD146EBB253F08F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685335Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:59.538{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0D1A6B5BF35B35300DBF53F759C236,SHA256=01DF3ED9B7DD603494B6D19D286537C361338AE97382C908647AB0F01DCC2678,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624887Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:59.160{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=054952BE7005E84BFE536BF575D6BFD2,SHA256=FAA03E124DBB7A9BE0165A036DA19977AE8E543DF69FB0EC95ED264855E94EB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624886Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:59.160{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E9FC50D51A140F17548F9A0DBD3973E5,SHA256=814B25E5B0EC18CF5E4EB50A37275EAD63831754B748503CE64A78D22E5DB5A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624891Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:00.722{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C9DC05FFE60A66B0322CE04F86EADB1,SHA256=2F5A8EFE9B8FD6E1939842CFCC29F50D4A27D84B955C7F49810DFA2606D7F234,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685337Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:00.553{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D553BA753D8D2CC4EFC29AA3566DF07,SHA256=2B54F16EB1B467F65B9F101EB96CC2A0EFFA64B0D55B7AB1CB0978F885E8A275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624890Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:00.691{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624889Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:57.020{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51678-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624893Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:01.722{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FD13E6392692F0F6D19DBFCF6D60A07,SHA256=9C9ED6C8FA8E1B87BFA2A74AC8B2BA6D3A9A1CF88172764218651E3D884D8CB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685342Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:01.585{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D97A63FAA428F3AA56F8DA84259353,SHA256=9261E6ECCA24B3169B945F49163B2C043479A8566E3EACA85212455242846B4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624892Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:01.691{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=054952BE7005E84BFE536BF575D6BFD2,SHA256=FAA03E124DBB7A9BE0165A036DA19977AE8E543DF69FB0EC95ED264855E94EB2,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000685341Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:26:01.210{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\D370F6FF-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_D370F6FF-0000-0000-0000-100000000000.XML 13241300x8000000000000000685340Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:26:01.194{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\368F3813-04AC-4615-AECE-5D3085605520\Config SourceDWORD (0x00000001) 13241300x8000000000000000685339Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:26:01.194{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\368F3813-04AC-4615-AECE-5D3085605520\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_368F3813-04AC-4615-AECE-5D3085605520.XML 23542300x8000000000000000685338Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:01.163{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3F870B69B3DF96514E844A72F86C75F,SHA256=42A92C117853D1B882BA75FC23F72B52D6720D4D1A59415C9E27BEAE545F0880,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685344Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:02.713{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53ADBEF7F42AE1FDE878486C6E53BE45,SHA256=D27F528CB3003518A03E95CFBC48784A0F6F83FA136DF484E02F8827129AD0C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624896Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:02.882{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8EB3485D63275C8AF80AB60D464D64C0,SHA256=CC73BB3277DA6F098869D92FDA5C640D8319D29F69FD751BCC5D75AE486CE5CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624895Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:02.725{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67FFB094E0FF6FE53DE5F4C5C2BBAC26,SHA256=4D6E3F6BB9CAA13854B0E3A4D923F32BA9466B944ABE88120C2874E4F5A2D24B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624894Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:25:59.535{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51679-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000685343Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:02.260{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BA8DA047763B24809BB5B10F73498BE,SHA256=D5FC0B829C433EBA839CC6897AE369CB05FB9E10409F4F0BA122381DD7AA9231,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624897Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:03.741{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=933A23B5C6841B36A2DEBBCDA1A76169,SHA256=D45CFA2E9C59C165D358E028039C5058060A03646F78647390F22B832F0F522B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685353Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:03.760{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8838F3D6AC6BA663BE95F9AAF73721C3,SHA256=A8F54920BCC6C2FE791B1E26E884A53283B4CF5672486E99210A1D8B8AFF10A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685352Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:03.744{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685351Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:03.260{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E48963854E5721A2D9D47BF0DDB16FAC,SHA256=E950759F66C4456A2E8FCD60395B1C5589C5FF83CCCFA6CE6C5608CCCF939906,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685350Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:58.635{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local65149-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000685349Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:58.635{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local65149-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000685348Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:58.623{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local65148-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000685347Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:58.623{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local65148-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000685346Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:58.606{D419E45B-752F-60B6-0D00-00000000C401}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local65147-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local135epmap 354300x8000000000000000685345Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:58.606{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local65147-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local135epmap 23542300x8000000000000000624900Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:04.743{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28F205298CDC4AAB900697B53304F33C,SHA256=D0A6FEF0970AC9B868C8E0CF16AAF8484BA5FFD86EA753042E8381032F019247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685355Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:04.760{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA96A8017490F12EF4FFA97DA1FB8F5,SHA256=98DB445FEBDC70474A13DDFEEC5B89849BCAC0E85C466FA7CDA386D5E10EA025,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624899Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:02.070{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51680-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624898Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:04.431{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B364974A7C00A9B6C3CE79DB082B8E2,SHA256=60A8CF70CD794F91F7C9035FAB478CC8FD1DAEA24B72EC79AE89348C69BBFEBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685354Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:04.510{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F53F72BF00DCD0396249C27721989BC,SHA256=D3A7A377FE82025ECEE2D1DF02EF4CC028706955ACA7673F6C2AF8A37E34BC25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624901Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:05.834{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8838DFF0E781578E42C30E6685C2EDA,SHA256=E175A1FB768945EB273F0451232666615C2DC7005EBDEAE97ADE83645C653549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685359Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:05.994{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC3CD278165BB9CF78092974D7CBC3D3,SHA256=B5736ED94DB67273323FB2294784157A4D17D22BF2094D2A5C6A6320379982BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685358Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:05.994{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83502178480EE987D5B6777AB228FAD7,SHA256=F3ED1DBBCAF8B8C1F575E0253C68D6BDC8F78505540DD050B4C744EE357A21A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685357Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:01.139{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65151-false10.0.1.12-8089- 354300x8000000000000000685356Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:25:59.639{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65150-false10.0.1.12-8000- 23542300x8000000000000000624902Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:06.837{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6656D9F3E97DE703AAD79F8E67FA7E9D,SHA256=A9FC3B9E4DD8315411D7665B025D2550E64391361EDF68A1D6AD2E8F6454B6FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685360Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:06.822{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3E3FECD0B173F4F613B124F6F7FEA89,SHA256=751E4F0CB471E20A320A303DEC64B40C51293CFABF80A3E85F3B6BBB3B0E999E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624903Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:07.837{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4959EE3462899756611F3E4604E71C9F,SHA256=2F8D84759CD14C4869A28A03295A5F6C4FBDE252E44EC30D82444E9EC117D2ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685364Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:07.932{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9ED10DA345B548E07D84CDB8BDDB3381,SHA256=E585B5D0825D3ED76CE0CB806BDDC896CF7824EBBE24FF2C608A64A5DA5FAFD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685363Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:03.202{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local65152-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000685362Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:03.202{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local65152-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000685361Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:07.010{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E43BFD01B8A155374CE8BF9A63163DA,SHA256=6B6DDDE6937C4FF0A4103EC3F084BA2B1BDC3698D56717CB88171E8EA5CBE855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624904Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:08.853{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66065836F639A4ACDAA13230D4453232,SHA256=29A50F631C0D22530EDF9D71DD8F29C7DDA6D5779249AD9A55D251BCC7B8ABD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685365Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:08.011{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D769B3968EEA1300CFDBC7DCAA24714,SHA256=B2974AC66F3300FFC889A6D2CD14471F9E1265661B97B2BC4FECB6C2E9307A80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624905Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:09.868{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4CBBA59C6E9A1139C675D043F64A705,SHA256=E4129F4C615B3553CD6F41C12D29BB8466EC10F5C7910679DB402840209A43BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685368Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:05.593{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65153-false10.0.1.12-8000- 23542300x8000000000000000685367Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:09.274{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EC7D2AA53B3A7A89E832A39178D37CA,SHA256=89ED5B043266CCCA674965369F1FCD5F662C67975F4C334360A5EC518D0A8B07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685366Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:09.024{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E21CDDEC354C73F1AF96DC8E19023364,SHA256=EAD3EB160746187C81638944E663C336C66724BC554367552AFC0D59496C78E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624909Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:10.868{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17C719863E355550CD0897828C0EA011,SHA256=9D0A4B8CC9968369A47B51D82D423942C933B5E962BE6DFF3CD9D13B78F95587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685370Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:10.513{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B06B0D6939E47C8C426D4822F0D435A9,SHA256=E2902B8D2BEA6FBE17D38D1EFA323AAABB3FBFA47F331C283CC460F385B55AF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685369Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:10.169{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=606611CA7A1D25ADB1E93BBE41D613A9,SHA256=EA0431CA982903F6DDA3FBACA9EC515CC41AB2EF132358B956F7DF6B2BF4EE65,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624908Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:08.041{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51681-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624907Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:10.228{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F34E42BAE417B5B24BA3B53B18781E8,SHA256=D56C9EC2D149034B73C5F4728BC6E595C285408BE6851F9203E8DB732BF038D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624906Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:10.228{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8278DE54B69A00E6C966C3299CA0429C,SHA256=3E77A733C9972CF270CD2A53C9FE8805FB76FBC2D3FA3908F7C80EB449382007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624910Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:11.884{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63861901A992266E24E3A5D21E9FBFBA,SHA256=0CAFC365013DF7084EC0445D8398B5A4DDB6284F16A87A04BBA82B962281D29E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685372Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:11.654{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA4988BA768987C1063CEC2245B5A80E,SHA256=CBCB9936D9C3E61BDB9B1194F29D8A4D33F008FBE0082E9E2203617F5B3CB720,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685371Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:11.185{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C42A915B5E9EA225C5E6736E6604E21B,SHA256=CF2F6901ED4C5F30B38B09AD0515F6FB528198E0BEA2A5F79C7A4DF45FDAADE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685416Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.904{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A8897081FDDA75A018AA13241658A7A,SHA256=90A5D419BF553D1660A271A16E1DF5FB73F6F2BBF8202103855BF40D6761A055,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000685415Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685414Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685413Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685412Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685411Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685410Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685409Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685408Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685407Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685406Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685405Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685404Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685403Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685402Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685401Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685400Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685399Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685398Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685397Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685396Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685395Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685394Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685393Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685392Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685391Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685390Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685389Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685388Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685387Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685386Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685385Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685384Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685383Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685382Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685381Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685380Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685379Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685378Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685377Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685376Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685375Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2B00-00000000C401}3008C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685374Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.825{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2B00-00000000C401}3008C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000685373Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:12.216{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6857B87FFC9DEABD4CA9B88752AE1C8E,SHA256=B4EFC20F6CD8724BCF1D2762CE1845D60D189486F1AA54EE60847544635E922F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000624937Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:12.431{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624936Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:12.431{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624935Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:12.431{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624934Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:12.431{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624933Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:12.431{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624932Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:12.431{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624931Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:12.431{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624930Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:12.431{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624929Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:12.431{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624928Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:12.431{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624927Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:12.431{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624926Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:12.431{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624925Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:12.431{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624924Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:12.431{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624923Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:12.431{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624922Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:12.431{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624921Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:12.431{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624920Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:12.431{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624919Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:12.431{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624918Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:12.431{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624917Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:12.431{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624916Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:12.431{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624915Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:12.431{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624914Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:12.431{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624913Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:12.431{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624912Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:12.431{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624911Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:12.431{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685434Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:13.888{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-02A5-60B9-DC52-00000000C401}584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685433Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:13.888{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-02A5-60B9-DC52-00000000C401}584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000685432Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:13.888{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685431Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:13.888{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-02A5-60B9-DC52-00000000C401}584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685430Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:13.888{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685429Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:13.888{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685428Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:13.888{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000685427Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:13.873{D419E45B-02A5-60B9-DC52-00000000C401}584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000685426Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:13.294{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A01246EA1CA22D66F0A0CDA7A5E4F653,SHA256=870DF068575AD6F1D364605E1BF0CF70E5FED200DE6FD6DE53726CFA3856703D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685425Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:13.294{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BBC01ADE7FA7896EEBC8127D934A971,SHA256=237EAFB8A264BAA3FFF1CB2C0A65AC6D294A2BD9E06CCDE7A36BCB2943126578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624938Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:13.165{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBF623765A1378187E97077DAADC7909,SHA256=8AA757503D03A93720283AB999B3A287903621D656C12325D7A3C07DE10F67BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000685424Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:13.200{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-02A5-60B9-DB52-00000000C401}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685423Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:13.200{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685422Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:13.200{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685421Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:13.200{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685420Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:13.200{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685419Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:13.200{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-02A5-60B9-DB52-00000000C401}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000685418Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:13.200{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-02A5-60B9-DB52-00000000C401}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000685417Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:13.186{D419E45B-02A5-60B9-DB52-00000000C401}800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000685445Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:14.466{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-02A6-60B9-DD52-00000000C401}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685444Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:14.466{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685443Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:14.466{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685442Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:14.466{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685441Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:14.466{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685440Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:14.450{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-02A6-60B9-DD52-00000000C401}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000685439Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:14.450{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-02A6-60B9-DD52-00000000C401}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000685438Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:14.455{D419E45B-02A6-60B9-DD52-00000000C401}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000685437Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:14.450{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B40724242FDA0F542F9D1846DF614C16,SHA256=FA2C9B004C014054C29B23EC13B3983C054E9163F549CAF2BE237F0B8862C0A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685436Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:14.450{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8229212B68EC5CD41FF15A0D820CEF29,SHA256=CA82063ED07E6A66780D002E1DF0DA6501908564E6EFB05DA4FD0DE928F719AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624939Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:14.165{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=930D8B38429C81644F0015905FE9EAA8,SHA256=F5A63C45477EC4823B8B956F69DDA368BE0552BD46C834DB30DA86E2381BDD5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000685435Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:14.091{D419E45B-02A5-60B9-DC52-00000000C401}5846608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000685465Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:11.549{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65154-false10.0.1.12-8000- 10341000x8000000000000000685464Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:15.700{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-02A7-60B9-DF52-00000000C401}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685463Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:15.685{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685462Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:15.685{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685461Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:15.685{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685460Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:15.685{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685459Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:15.685{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-02A7-60B9-DF52-00000000C401}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000685458Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:15.685{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-02A7-60B9-DF52-00000000C401}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000685457Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:15.687{D419E45B-02A7-60B9-DF52-00000000C401}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000685456Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:15.654{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA47CED917ACBE85BE710A2B0102779B,SHA256=27368B34D5BFB4DBF3FF8EE6874B5FF1821159FD006F6F3D6906EDB14902AC4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624940Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:15.181{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C14A8421407710A6D277EABE3760EBE6,SHA256=919240F1AD3719ED635222CC4DC8617FA70AFEEFF49BF83E54DC94B8D1112EF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685455Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:15.591{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=960DA80069871659587585B640C88BD2,SHA256=3C513CDD75C1D71F8E215BA6E1DD340C7CC86DAF836EDCF541B7EBDEFF850C56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000685454Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:15.294{D419E45B-02A7-60B9-DE52-00000000C401}44363932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685453Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:15.138{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-02A7-60B9-DE52-00000000C401}4436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685452Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:15.138{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685451Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:15.138{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685450Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:15.138{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685449Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:15.138{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685448Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:15.138{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-02A7-60B9-DE52-00000000C401}4436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000685447Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:15.138{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-02A7-60B9-DE52-00000000C401}4436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000685446Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:15.139{D419E45B-02A7-60B9-DE52-00000000C401}4436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000685485Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:16.841{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-02A8-60B9-E152-00000000C401}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685484Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:16.841{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685483Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:16.841{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685482Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:16.841{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685481Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:16.841{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685480Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:16.825{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-02A8-60B9-E152-00000000C401}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000685479Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:16.825{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-02A8-60B9-E152-00000000C401}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000685478Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:16.830{D419E45B-02A8-60B9-E152-00000000C401}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000685477Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:16.825{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74EE02D4575A47069570D7B6AF970994,SHA256=DAF46779B3D09F0E423E446E247D03DE3C8B15ECDEBDFDB3E94A464E624EB9FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685476Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:16.825{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DECC009B4F710E8F772B887C9B488C83,SHA256=CF2CF4AFFFCBD5C779909D42E9E3976440F0C3B57EBD0279EC7B35F0987E521B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624944Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:13.932{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51682-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624943Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:16.181{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48DF13420B5567D9DDF1189B36AF2CA0,SHA256=217A62DCA6158A85B20E39B05009ACCCB494125F28AD7737B952AA21995CB942,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000685475Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:16.482{D419E45B-02A8-60B9-E052-00000000C401}55005492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685474Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:16.310{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-02A8-60B9-E052-00000000C401}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685473Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:16.310{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685472Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:16.310{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685471Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:16.310{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685470Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:16.310{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685469Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:16.310{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-02A8-60B9-E052-00000000C401}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000685468Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:16.310{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-02A8-60B9-E052-00000000C401}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000685467Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:16.311{D419E45B-02A8-60B9-E052-00000000C401}5500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000685466Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:16.045{D419E45B-02A7-60B9-DF52-00000000C401}54523908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000624942Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:16.071{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98A437955A7C0A86F1BEA76154E0A3D0,SHA256=54843DE1E82FE0C746D56F19ECA90008FF09717FD635A04F27CC9982328280DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624941Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:16.071{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F34E42BAE417B5B24BA3B53B18781E8,SHA256=D56C9EC2D149034B73C5F4728BC6E595C285408BE6851F9203E8DB732BF038D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685487Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:17.966{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EF015F1DF097AF481C8A88C4510A61A,SHA256=82C8189E9489CAE723D135C1D84B0DD20F39A495DB1EF29B64ECB059B76165D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685486Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:17.966{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CE0AABA729CA9529B14BBD1F5D1FF6B,SHA256=71AC84C18F81481C8D2C6F1CD08C9CA3A448378E94DA9CE3DF020E8EB22B0672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624945Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:17.181{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C28E712D1F73FAA517C45FF6DBE061CB,SHA256=1B9605C0EBBBBF9A8F15F7C758215823F2A75EEDDC08F436DC8E72E768B3FCCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685488Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:18.982{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7361ED3A8A24DB1683F68866ED003490,SHA256=DCA0141D50859255C66A9EED017A7DF8B47DB5D875DD864146E9D7C8FAFF782A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624946Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:18.181{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9834A6FDC01C147BABAAC43FD95DE140,SHA256=EA5ADAE700F948701E97AEDBAF9C5C8FBACB4AD29A8E5B0FE5A6B4E204C7C71D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624947Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:19.197{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F24E316C77B83A760C6AA3C53D8E818E,SHA256=1E5E902B465A46D3EC939E1A502EE2F49C2441141F8882DCE0D73422A7152FDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685489Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:19.107{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3D502994B9623C609CDEADC816950E1,SHA256=A8A1E87573911E408B9FBA2DB8D553FB2230A1C8BD366BCC47B10723D94F005D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685491Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:20.372{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D374A01454CD726B7DD871836A2C290,SHA256=5DD1CB61F9A2E260E8AD2B728B9C2FDE89800930ABB467924DC723D310237240,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685490Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:20.122{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=170F134CB1D10563A685ABFF095279B9,SHA256=79BC29AE5C346939F5EFCA865673F60C33AD24AF5D00AF7B3F968086132EB796,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624948Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:20.275{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24FCB3928AF6D28D1958DDDDE542CF97,SHA256=E3D5D56B71AD7C35D321E5AF78D2B9CA9F0840B7BE2852F8E512FB3C8208E4DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685493Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:21.404{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=451FE6C18FD67A3A4BF055B161A01C68,SHA256=EAD02385B43118C43A4C22610333A3198D03A251E94DE377F03A4A80E75F3F4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685492Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:21.341{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7587E443F0D0C5E4E1F753A8573570F6,SHA256=B4CC5982351C690944D8B49291276022E4B843CA889F53245A2161DF049808A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624951Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:21.275{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA2C71C240E1072C6345BB451694023,SHA256=4586D0C08289F51DFAE72CF560FE577D27D825389102B8F5D1A696946273E236,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624950Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:21.228{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1E72EC20EF2C796C8A301E782EDD4AE,SHA256=6F848102DF7C84F3CB6D3657195151BB22000A7DE98700C474252AFC8B1246DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624949Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:21.228{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98A437955A7C0A86F1BEA76154E0A3D0,SHA256=54843DE1E82FE0C746D56F19ECA90008FF09717FD635A04F27CC9982328280DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685496Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:22.539{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E91C62C1451E5166A9E7A57D3341E68,SHA256=0200C8C366234E680AAB854369E3F3E00F9B5B1A6275CFADA1036568D9957D3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685495Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:22.351{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F40C97628BFCB97DBBE465A2F84E2D9D,SHA256=3D060EFD6BEF7193B48AD5015D9344968E7FBBB21C900CA90EA479747E4D3A85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624953Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:22.317{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12EDA78D81E67998DBB5FAACD85A6DFD,SHA256=0EF83B9579CC6BB95A5930F3FFB6DC6E200D36A44A6ACC52330BC96CAE5F620A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685494Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:17.501{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65155-false10.0.1.12-8000- 354300x8000000000000000624952Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:19.073{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51683-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000685498Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:23.679{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7C7B19CBB83AB7880F1CF282090F836,SHA256=B4F5D7B351C9E9421950D400E6BB06B1EBE3610C406117A186DD1BD8773FBD71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685497Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:23.414{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68238CBC8EECC001697569D728778042,SHA256=0147FC3B125C245367B01DB316ADAA3470BB8F3394C56AA0F4BA854B002BAAD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624954Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:23.332{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30ED9EC2F32D6390669727CB2C5AF795,SHA256=2B25F5537CA868A7BE009C4D43CFBBA916D4E7D103F1451EA682BD3F5C199018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624955Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:24.348{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0DA22C604F1BB9D98C5A173AB1D8D28,SHA256=8C1BB67C5E3B41BA68A3531E075398C684FD6DFF8034B89C1031AC89697BE7BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685500Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:24.851{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2BB61CC219028401EF202EC8E6A5D37,SHA256=42C5A07B338B9845E4E72073EA06DFFEAE6E0F36CAEB96B1788B35C082CF55F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685499Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:24.429{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D75DEE41767F1CE1AEA17C08E6486EFE,SHA256=1E3F7949C526EC6220B8BD4B75ADC4449D091961D08DBBC9D1D3AC2BDA2BE529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685502Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:25.961{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16D8A7C19E4A26A773D41543800D3868,SHA256=E953B3321C56922B7CC045268730C9D0D33799A38FFB4E6B6D104E30895C0ACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685501Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:25.461{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8090FB14D7F9F9EEED4457705B2DE97,SHA256=72B4E8DC1BBC9906F680281D4D3FB0629B81A4500060BD1BBA0293C9D9969C4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624956Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:25.348{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=509FEA19C1D65BA400D4A76E9B4D54C2,SHA256=6F55F3825CE05DE5DF95E819C5EDBD39F0C5A12E33D3C4550E7D30759290E7E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685503Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:26.476{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C9567FCCA8C34CA0C3759973075485B,SHA256=F039D3B40B239E66F4CF24BC76AA01552C60F244172E151AD25AE73A1859E753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624957Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:26.364{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F7F96777B7E455F5A139561255032EA,SHA256=F6932263DDD57BA99D88E9AE66E94485912307249A1FF190D3B34002985567CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685506Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:27.492{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15F11709D3DE1CA169293E5065B36FAA,SHA256=81A7B25B8A6825CEA232FE79D3DB3B87045B420EC8FF102AD0F27D806C867880,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624960Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:27.395{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E0C47A661CC866B5B01733E2B2990CA,SHA256=CEE1754C5DB2B96D9830E8FD9D1E6ADB69EB29FD95D81F7D553DC9EFFF99B78C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685505Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:27.429{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B7B054C02325877AC2EB0FE41284AF2,SHA256=B46B6EB64F374D66FC2C8393F71BB72F0C8D4D362C142969831C3919E8DFA94B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685504Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:22.574{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65156-false10.0.1.12-8000- 23542300x8000000000000000624959Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:27.129{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E5355F51B71A734C9B91F6DA82B6DB7,SHA256=0B570A52D321B249E9843454C5D3A2A494F5A38B6328E0F8826C1D9FBA590F67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624958Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:27.129{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1E72EC20EF2C796C8A301E782EDD4AE,SHA256=6F848102DF7C84F3CB6D3657195151BB22000A7DE98700C474252AFC8B1246DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685508Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:28.711{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBAB5F376EFBD172BF6B6A31EF9F637B,SHA256=212C27F1770DA31CE4DE45C559D05FEEA88A86F9FB6DE274C1C65949859CF779,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685507Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:28.508{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6EF5398F46A8E874358636CF4D27E80,SHA256=80F5E8C14FBAA45907545DC436C3E09EADE6A0652DA8FCB300B7FF0B39F0AD0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624962Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:28.442{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D71433EF0D29CA61BF292F7F2C98FC06,SHA256=108CBA2C2CBA4B1AC4BBE722F2782AB7F8FA898C8FF3686EDB3F5C77263413FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624961Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:24.962{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51684-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000685510Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:29.851{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29F738773EB5942002025268134FC8E4,SHA256=741C0990B830BD18CC471705BBF9C91287BCF1067E2E4C4FE90FF58B995EB99F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685509Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:29.523{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C5B39D23BCC199DBEBD84CB24725A7C,SHA256=90EC1D3EFEDDDACB31CFD89E5767D58A2D76107E0406BFB9E5285ABB237E87FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624964Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:29.457{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FE231806347FE1DF433663937D63DC5,SHA256=D92CAAC769FF8C6BB1863D86B12B27144BEC786FD9118B051C4A63D24B76DF0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624963Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:29.411{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF9f10b20.TMPMD5=50C3F57E9B17DAD0DB73AD4F64FDB6ED,SHA256=86D53DA9ECE564538A00B5F8E963CD8B3B67CB52F8A489C6BC9DE193528D6A7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685511Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:30.679{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48EC58D52CF23864F29246943BD95308,SHA256=74E69C4AB26AFB011B06C85F89648956A6021B685D4D87802B29B38212C7E723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624967Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:30.754{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=730A6BAFA3D2288AE05BAD624C18C405,SHA256=2663ACA26965EBC4F1474BEB787236050C530E79A6224122562C2371A068456B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624966Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:30.754{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0E802D9E51217A998A1EC923DA72344B,SHA256=527053FF4E0AE540AEF65A8756F9B235465C3EFA538AB6186DCFE4D58F6A379B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624965Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:30.473{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDAB30AE591A48E256C96147B87797D1,SHA256=CECB8D4FDEC44B99E9DFBC8001836C4FCEE8D2326EB939769469A9DFC52DE26F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685513Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:31.711{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C07981928FDAB98DF3451AF42DEC72AF,SHA256=D163E7E7A5D18010F9FF0C2B215366C227F87B0AE696EA5214758927A7531177,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624968Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:31.473{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1D83996AFC7739EC77F26E395B3044A,SHA256=88017C8CE367CDA0CDE540892083FEBEFAF6E4726B9458C88FA1AABE407C6B5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685512Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:31.008{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31803682559F9CB7754314CF3A53354B,SHA256=B80997AC0617DEA6C56443536574C55F3965C385326000C23134F369044D9C95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685517Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:32.789{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D2593B2B1AB8BA4851EAFCF777CBBC64,SHA256=56384FF25E832E538066F04B52E6B00CF893C1BC91850E896B00B1DA3C93CF95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685516Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:32.726{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CAF7174B6D64B98DFA3013C377F5F63,SHA256=86B13532455983F8A016EE4C9C825D683562E503E4EE177EF4D12936D5A3ECFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624971Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:32.504{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5D7436311A710096A294BCA5EAEB1EC,SHA256=DABE001FC39C9B2459390651A72D345BCCA4C14A795C76961054DB1D47B7B36E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685515Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:28.449{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65157-false10.0.1.12-8000- 23542300x8000000000000000685514Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:32.039{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EB0FA1F8127942E24ED3BC8DA9B4CF6,SHA256=4456DC42429C61770DBABEC1CCDDD58F67CED7A38C9645796296EF7BB1576F14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624970Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:32.223{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C012D5F2F241D8EDD1A371F6CDA921A6,SHA256=776A59A04E7818CB1643FA1745A0875733604B037F87DC1BD0287D06CF5DFB00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624969Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:32.223{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E5355F51B71A734C9B91F6DA82B6DB7,SHA256=0B570A52D321B249E9843454C5D3A2A494F5A38B6328E0F8826C1D9FBA590F67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624973Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:33.520{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E248DE0F8D47FC1898EF9408C6F70367,SHA256=E1F66E0492688EADBBEDDC82C8846F296B972B5BB7276529D7B01DA2706E8566,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685519Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:33.773{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=850EA13A037679EC3D0CB8AC2CDED58C,SHA256=FC23D18641610E9E370288E6E5512B3BE8B8F7E076B59B209AF1AADB917BC109,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685518Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:33.117{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEA09A3EDF5657842F9B07EF1CBC0498,SHA256=06EC91C3E467C311F1CD0F3C88E1963B63D3C999318391B68BC49C238B4B63FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624972Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:30.083{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51685-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000685521Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:34.820{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C13E40663714D8E88AE06863ED4D5E80,SHA256=EE11B148535818B9D7B2CC3D6017198B919F41ADF01895D2F6D74E857F5B3BF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624974Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:34.536{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC97DB93A9A6F02A932A7FE52F0D787,SHA256=1445431BACB56EF732A29DF9B7353A1AF81661DB6A44E8E31A4CA9E69255BED3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685520Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:34.242{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7184918E8E70203BC5215D90B690DAB,SHA256=50E30833890712D2FC9BD120473A155EC78253E4A4E37A967EDBDF12C341CF22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685523Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:35.898{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47FEC196C042C53D301647B8EA07DE24,SHA256=61EC3389DFC26884099195A968D266D32A5A49E6500C2F4CDDDE2F69C0542DC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624975Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:35.536{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=472C0F79C9E3D16F3A48CE2A901B8258,SHA256=C699B42E45CC468ADBC2999D6FC5AF7A06EBC6C567F9CE5019555B0947F01A05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685522Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:35.508{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF3EC2CA0726E2DC4DFD5D1E7BDBB4E5,SHA256=0CCEAC39F8B30975935165217824AF8066E48AAE63D3D2196A8B5879492A9824,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685524Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:36.929{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF95FC9D9DBAC9FBDA51B86A025113E,SHA256=E7168943BD85EC5989E2097B902D945B985168E2E8D765E00E791587AE06C2AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624976Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:36.551{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC14ECBE45FC6113EE06E178FE317E6C,SHA256=E59601038F2E16B8D97CD3804DDB1CABBA3F65B99F910F7544F553AE901F026C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685527Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:37.945{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51629F8C4287495F4C64BF066809E2A7,SHA256=615E520C62651AB792037B4CB4061FDF2D893BF55A461C3B67F7E016B0EA2BA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624979Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:37.567{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C87AC36BF8ABF1DC7158608CFA8CAE2,SHA256=C2F28868B8D65D4285F8E9D24F61674D32E330CCA7B266D2A841D27AF484CB6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685526Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:33.590{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65158-false10.0.1.12-8000- 23542300x8000000000000000685525Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:37.008{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B214223E151F41BB1BB06727306CABE7,SHA256=F3462176C3162241576337FD4D08056E2373C020FE5B55AECC7DFA2C30FBE72C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624978Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:37.301{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C53B3440A1F94C8EDC01337E19C51FDA,SHA256=6968717DC592DE85222A7388C9514A28349D1375DFF25CB9D8141E9A8832471E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624977Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:37.301{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C012D5F2F241D8EDD1A371F6CDA921A6,SHA256=776A59A04E7818CB1643FA1745A0875733604B037F87DC1BD0287D06CF5DFB00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685529Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:38.976{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C519E92A15B8C9EF3ABB35BC4C54B91F,SHA256=2AF0065968647206F4297590F95DCA04E9816DDAD4D6F1B0A3EC90A00B3D02CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624981Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:38.567{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F96483865872BD6B89BA9F1DEB96C899,SHA256=00C5B98469E68CEE68011742146BCBCF68DF42A41CCD9D6A137EF2488C080FD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685528Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:38.289{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2763CE9FF1B7955E2B741412841E1477,SHA256=F46DB06BE7331FEF2D5341C366B0C237E78407E522ECCB0AFF8F80629393EAF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624980Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:35.100{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51686-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000685531Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:39.976{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79F847652893969491C966A74D5DA577,SHA256=7D7B62E450D2CA91C83D6397F3FE85498AD027BBCD6F8C3C42062B07E7623FC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624982Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:39.567{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0BF4C5844EEEC5510C867DB9B216C74,SHA256=2E3CC1B5A70BD29CBF7376D8BA1B26E6C3D8959189A51C1B9E358D5EB187ED58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685530Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:39.320{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA3B4A7020D09586DC2F33E470C1B7EB,SHA256=3B5345B23AB28C0BA8078FD0A444F4D4CE0530DDF76C026E573A2A45C38B90BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624983Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:40.567{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F2E777874D8030AD10E02348331B32F,SHA256=3EB77888F9A6C9BCEA3D98E1DA4BD71BCDCD897759B23BDE08ABD12A3DEF2CFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685532Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:40.476{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3451DE060460DB8094215B111CF8266,SHA256=0901D7CFCFFB5BB69F54F2AEA67E898A658AB7B1D5D6DDFE5A79B9318CF57932,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624984Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:41.582{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBCFCF4EC4288182395023ED6A49B9EF,SHA256=DBCC0A7297B2A3BF3B6170480A1528D907A3944AE4ED51868255667BDF0FCFC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685534Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:41.726{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E31795D14A4FD213A5B40EDDC910A77,SHA256=CE148B6B3D82FBDBA11C7175533FB3359D4D698932372DDEC044977C1FBA6E8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685533Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:41.023{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAFD4FF4745E8D802365D203C3F90A5B,SHA256=B17C58E26CF5D793078D2578F31344601E2AF6FE983FC296686F379585FB2DC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624985Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:42.586{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=204805D0AD7B47F50E381A1E29E44E60,SHA256=D9EF3A83A13054401458AF4BD65C66CDF09853F3BE71746D5E16D96934DC838A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685535Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:42.054{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4E11362825219561BD9AB02715A05DB,SHA256=174913B2F73B92855FCDF00E1AA6328E89F7222BA6E256026A939BA4ADB9E295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624988Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:43.588{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=535B4E2DE25F81FEFCB9E2902EE4F122,SHA256=6FC9BB758A152444B8952271AB449EDAD71A9C0FF0D7490F5282B8F703CE1452,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685538Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:39.464{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65159-false10.0.1.12-8000- 23542300x8000000000000000685537Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:43.168{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FEBD5065997A50379658000B593F5FB,SHA256=D0C98AD32D152579A6EBB76A78081065C4BDA00F1356E4F3CB2FBA0964DE33D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685536Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:43.074{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A5E8B3A9B9D0EDD7398C3F0B076540B,SHA256=D7B19EBD832A2CF81BC4C76A36D703A604BDC7C1FC8E7E36871A9A3D10609108,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624987Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:43.227{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63BC6D5B48FB55A87D9FF32DD0EA3F6B,SHA256=9F7585E286E69F0AB4B7ED4B25419162692825B2932A7DBFEE010AB8D7985F55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624986Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:43.227{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C53B3440A1F94C8EDC01337E19C51FDA,SHA256=6968717DC592DE85222A7388C9514A28349D1375DFF25CB9D8141E9A8832471E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000624990Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:44.603{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD24E61370F77FC60E14B7F6EB860D7A,SHA256=B39F44124ED56186BFC344B6C95A818239FC661A4DB04F3B81865C6DAC290F54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685540Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:44.355{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1EF5805F7CE2AB8F1F9D1C1C37654F0,SHA256=857AC623BB05AD194A0CB387F2882F79019EF7419B94478AC249F87CEC3871A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685539Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:44.105{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=053A7640836352FF3CE6A7E17B8C9640,SHA256=EE0CD09725F265DC90506D822F5A210CA3BC43C516034DD668A9ACD2106DD81F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000624989Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:41.068{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51687-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000624991Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:45.619{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41529902418AFD32D3DD56829CD9F207,SHA256=536B97F18EB956D290AEB575804B129D3F7F8E6D3A5228EED4F579247E13191E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685542Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:45.512{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52DF4C40FB428A1002BB5D9EF486B731,SHA256=A0F94EF060F7E5678F180672788753788D6F60BEAB726487982899AC3D06B28A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685541Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:45.340{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6E0E1BF8D414F9C37E20B82B477478C,SHA256=B28E032C006C6265419D417CBBD6B770FCFA8301A1D4DF1E66D4B3A822BF320C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625002Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:46.650{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5FF2ADAE3A7EAC99CC25A17EAFED42F,SHA256=D5C85E4402BC87568A54AAD88ED439E1B902803AE241EC21C527D7505A137641,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685544Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:46.715{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B648C06A21751865A6C478B8AF39B72,SHA256=2D3B1452DBE5895CA8E72FA4AE184F62629A1CC64CB40E10FD7D998A3EE12AE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685543Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:46.355{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A73C3E184DA5C8F420C99B906699DCE8,SHA256=32E9AB59E0AA4C285EC06339EE1526C4FA5A682A025157A045F1D968DF3E7DA6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000625001Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 16:26:46.447{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000625000Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 16:26:46.447{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x09f14da8) 13241300x8000000000000000624999Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 16:26:46.447{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7588c-0xdd27dcb0) 13241300x8000000000000000624998Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 16:26:46.447{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d75895-0x3eec44b0) 13241300x8000000000000000624997Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 16:26:46.447{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7589d-0xa0b0acb0) 13241300x8000000000000000624996Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 16:26:46.447{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000624995Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 16:26:46.447{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x09f14da8) 13241300x8000000000000000624994Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 16:26:46.447{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7588c-0xdd27dcb0) 13241300x8000000000000000624993Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 16:26:46.447{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d75895-0x3eec44b0) 13241300x8000000000000000624992Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 16:26:46.447{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7589d-0xa0b0acb0) 10341000x8000000000000000625012Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:47.822{97C2ED32-02C7-60B9-455D-00000000C501}55962216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625011Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:47.681{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-02C7-60B9-455D-00000000C501}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625010Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:47.681{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625009Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:47.681{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625008Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:47.681{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625007Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:47.681{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625006Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:47.681{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-02C7-60B9-455D-00000000C501}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625005Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:47.681{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-02C7-60B9-455D-00000000C501}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625004Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:47.682{97C2ED32-02C7-60B9-455D-00000000C501}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625003Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:47.666{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8CFCFCA2B0D55A6919C603CCE722A27,SHA256=592CF9FC11BA1DC3EDD74CB46A3CFB3BABF0C89E11214E8B1FDE206CB5795E0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685546Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:47.824{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=441333CD2409656CFD63C25CFB83E179,SHA256=C19003FF0DD538BF588813204DAE7EA93DD6D90195C68C1264F9A1E27317854D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685545Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:47.371{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3C98C015A533C5C322E57F70BA8EAD2,SHA256=7FCBDA49D606522B284A7CF71FD6A9C7CE04B17FDE1CAF6876464C50710B46ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625024Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:48.728{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1B138684A32E084474DA396D54D47C2,SHA256=B506E0E61D44BB5D5B427E0B70FB3DEF58F357C96199CCD925F3CB81E8204709,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625023Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:48.728{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63BC6D5B48FB55A87D9FF32DD0EA3F6B,SHA256=9F7585E286E69F0AB4B7ED4B25419162692825B2932A7DBFEE010AB8D7985F55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625022Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:48.681{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=220E44C560329477E314C8EA1EF02969,SHA256=7F2E43D5FB00C87F60FE40DD000C81EE894FEC922BFD6725EAC50B9200A5D4C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685547Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:48.371{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE1E851D2E330545E02FE7E745D1B304,SHA256=760100442D41FA8D5B33237AAE3D7D236CF17250531BE880CCD0F77A34A466F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000625021Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:48.478{97C2ED32-02C8-60B9-465D-00000000C501}57085272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625020Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:48.353{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-02C8-60B9-465D-00000000C501}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625019Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:48.353{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625018Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:48.353{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625017Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:48.353{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625016Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:48.353{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625015Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:48.353{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-02C8-60B9-465D-00000000C501}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625014Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:48.353{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-02C8-60B9-465D-00000000C501}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625013Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:48.354{97C2ED32-02C8-60B9-465D-00000000C501}5708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000625042Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:49.697{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-02C9-60B9-485D-00000000C501}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625041Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:49.697{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625040Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:49.697{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625039Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:49.697{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625038Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:49.697{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625037Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:49.697{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-02C9-60B9-485D-00000000C501}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625036Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:49.697{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-02C9-60B9-485D-00000000C501}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625035Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:49.698{97C2ED32-02C9-60B9-485D-00000000C501}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625034Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:49.681{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D60958C7AF890BD48355F411A97A40D,SHA256=4197C3356216E3C54208CF7AF0302BC95E6EED1785A669EDE44CDCAE89669067,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685550Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:44.484{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65160-false10.0.1.12-8000- 23542300x8000000000000000685549Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:49.402{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=923C4DDE58D8090D712C4EEBF368A5E2,SHA256=19A72AF0E58E61C6707C18DF9E74597D4876C537E11B1A163EE22074126D1411,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625033Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:46.948{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51688-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000625032Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:49.025{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-02C9-60B9-475D-00000000C501}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625031Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:49.025{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625030Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:49.025{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625029Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:49.025{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625028Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:49.025{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625027Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:49.025{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-02C9-60B9-475D-00000000C501}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625026Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:49.025{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-02C9-60B9-475D-00000000C501}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625025Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:49.026{97C2ED32-02C9-60B9-475D-00000000C501}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000685548Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:49.090{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0B63E54E71942C855EA3DD381D5D01C,SHA256=E8DA447DC55533683D45DC4890EE90557650FDE934EBADB50E7C7E3A06932C71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625053Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:50.697{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE21F28DF1E291B5ECB61C65EC55428,SHA256=CC96EF2515D05AF6841B25FA5C7838F501A55E0C5237842550FBB70437A3F868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685552Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:50.621{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83EBA82ADB7CBFD36C0F874E0E724680,SHA256=5B074218E361C3291E19C57C92D3104E1B9885FC5B9EAFBB712A2D1A3FD977FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000625052Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:50.494{97C2ED32-02CA-60B9-495D-00000000C501}59045104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625051Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:50.353{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-02CA-60B9-495D-00000000C501}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625050Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:50.353{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625049Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:50.353{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625048Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:50.353{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625047Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:50.353{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625046Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:50.353{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-02CA-60B9-495D-00000000C501}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625045Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:50.353{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-02CA-60B9-495D-00000000C501}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625044Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:50.354{97C2ED32-02CA-60B9-495D-00000000C501}5904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625043Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:50.260{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1B138684A32E084474DA396D54D47C2,SHA256=B506E0E61D44BB5D5B427E0B70FB3DEF58F357C96199CCD925F3CB81E8204709,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685551Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:50.543{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89F3E0B850BD3D11CA5BC02961E8BBD8,SHA256=7EA97D2AA327E71B41B50249997EEBB8A43D03254002DDC7FCAD181121C0FF8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000625072Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:51.838{97C2ED32-02CB-60B9-4B5D-00000000C501}20242312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000625071Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:51.713{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=707524DA9F18EDB38288FC0E6EE07F84,SHA256=A68F3277D20DC9B4ABD5345976EDBD68046DC409D5BF62D1A3187E831D46BA3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685554Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:51.668{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D7343A5465A6C8BB1B5BB470971C5C8,SHA256=D6BE82BF9E94574A9F0C70607B99CA3AF92E915DA006CD6DCEBD4AF6C54D0B19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685553Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:51.652{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=490E6F77B66809910493C379DCE12956,SHA256=CBCA0A2225AA93280974ADDE0DEF9318CA916879316CD9830B7E233C195A393D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000625070Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:51.697{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-02CB-60B9-4B5D-00000000C501}2024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625069Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:51.697{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625068Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:51.697{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625067Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:51.697{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625066Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:51.697{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625065Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:51.697{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-02CB-60B9-4B5D-00000000C501}2024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625064Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:51.697{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-02CB-60B9-4B5D-00000000C501}2024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625063Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:51.698{97C2ED32-02CB-60B9-4B5D-00000000C501}2024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625062Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:51.603{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A9D7340329E56AFDA6ECE94BA4E2E2C,SHA256=E934466CF7E984D9BC273CF9DFC97AAE3A7FAD9BFD0D5D3AD777A61E6F25F7E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000625061Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:51.025{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-02CB-60B9-4A5D-00000000C501}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625060Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:51.025{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625059Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:51.025{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625058Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:51.025{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625057Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:51.025{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625056Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:51.025{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-02CB-60B9-4A5D-00000000C501}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625055Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:51.025{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-02CB-60B9-4A5D-00000000C501}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625054Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:51.026{97C2ED32-02CB-60B9-4A5D-00000000C501}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625074Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:52.713{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A54249E064841231D7E4B249AA6DBC4,SHA256=C96CBB8A15C274678B1B1835C358FBF09AC7C14F88AAF4DCA5C3F20BC7F2552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685556Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:52.824{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5347445D1E584C717514054F8E75C53F,SHA256=EADCCF8F0104FB1220F6814D53FA86E6E79049E033DC5E3B8E9C2866122361EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685555Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:52.793{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96EEF55076E96BF11EC92A01A1257E5F,SHA256=CA422F14040EC0D978C8779A9557B33E5B39DDFFBA624C9E4D405D0A3C5E5980,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625073Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:52.697{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2027659AE7FE10FEC283646E0397E1D,SHA256=060B5AD33AF874BA470ED442F8020F8C0F9E1B6EC2CF191FDDFB78F713094C20,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685558Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:49.516{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65161-false10.0.1.12-8000- 23542300x8000000000000000685557Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:53.824{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF244E9AA536B8D7B74B612096394C89,SHA256=F5C982CEED344CC8266F2DFF9023981E1D88004342D83D40CC6FB7AADEEED933,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625075Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:53.728{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73676276837BF8742B6AB788510C2A1E,SHA256=343F670AB87BA35563731CF6B53692D22AE6AA61C3941BEC80B5715DEFB1C3C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685560Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:54.840{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9D94212849012E8D3AC3311DD4F8BA3,SHA256=6DE11A03C2C1806CDDF0178B088140545CA9DDEF5BD58101E93B558B2740C668,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625078Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:52.042{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51689-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625077Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:54.728{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=871510F0CDB7C5F41DF2FE89B5177958,SHA256=8156029673D8D244395F7C813C6092EEFC67F985C7A0C49F2899BC5005E50886,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685559Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:54.012{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=108F814901A4EFF31A5CBA28E009F170,SHA256=4A444C49432814DDD757A0D2C1686B0E3970EA805577DE786FC3339E6AFA33AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625076Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:54.306{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=694F9038DF19720C843F551AC0A4862C,SHA256=6FB1DB25B5731D925310285624A06BB1FBBCE4B33731E62D0DDCF8107E7368AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625079Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:55.744{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81CD6D50A6F32BE36739767D75A1BF97,SHA256=BA9EE3C09E9FC805A044DCB4E80FF4842F6B0278B2415342D8AA6D73B3B5E616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685561Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:55.105{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=684B907E28640396B538EFAFB9268C4F,SHA256=2AE9C12D0E327888D3F6FE5621B538C3ECF3E8CB1C719D732DAC45A113C97A57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625080Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:56.744{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF98B8FC79C7331B323B22ECAC230BFF,SHA256=96DC798A1D087FC8981C4CD1475BA9120A2D864B20320A3852FD0F843103BDAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000685564Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:56.574{D419E45B-752F-60B6-0D00-00000000C401}9041968C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2B00-00000000C401}3008C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000685563Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:56.262{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=272A754A4B138041CAD6E592F4E9C2CA,SHA256=099826734EECBAC12AD32E4D8BA4C2B275BC34076C883E039E80CC8F95F82CBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685562Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:56.074{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44DEA948F8D2BB36FFCD65D9EBD4F500,SHA256=446230CC7DB536BF2CAB609B6C8CE77C4ACDCE9FD127895415F1720906A5B547,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625081Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:57.744{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1295C2A7B65225CD2B06FA24E83C8DD8,SHA256=45EB94937361AD1B9520960316EF7E52702BF9697E9648E0FF699B975CB8C05F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685566Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:57.387{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6178190272C9D5C23F12B0B33DFBFAE1,SHA256=399B789DCF6181AEFD1D72B0ED75DB392DBD62B303218DC45ACAB9E06FAEEE84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685565Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:57.309{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=181A473E1A95046F657A80944A78D256,SHA256=2FD42E8128D82E31492AF130E1D9554F87866520EAB06E1DED61EAEE66FC3ECE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625082Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:58.760{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FF5315A2FA6D38A84144DB90A110C0C,SHA256=8C8C2F7B9746AC9E74EF4B26A63AD551A456D7D33E93887C1A9CB6B8AC36BED3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685568Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:58.527{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0700E46B60F2F2A904D1208E39B3A477,SHA256=6B8E07E4C1675A1AEABA4374E0A565CE71C3B5C29B27FDEDEDFEBBA279C7D585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685567Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:58.340{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22C14FAACF86BFBE383BBC9503A7BDBF,SHA256=63C04F90FE6ACC6FDD189BAD997AEFDC8B543CBAB180ACAFF92E260C46D9C596,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625085Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:57.057{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51690-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625084Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:59.775{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B3179058CAB803F7F094614D83D6DC2,SHA256=4DD2E10A6D986EC9065760D352770D9824150CC22605F8C14CCA4509BC801CCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685570Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:59.668{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=162256D165A6AB82CEC1524BE7A84277,SHA256=99FAE93CB57DDD49936546E286809FF87B8644AAC8F58E59B8D54B0FAE67AB2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685569Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:59.355{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D7BAF02DCE4FCE56E042502C4D05F57,SHA256=D25FEFCD8A99E2217069A77E4E3D1C7E6610C905A248F6A2E411B4189E08A121,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625083Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:59.228{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B85D86181411E023515FC580A9A20BE,SHA256=2A7E2E78DB021ECF4A22BB8587D447980867085D7102482B7F7CC88C1D0F54E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625087Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:00.775{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F5F1B08B7372BFA3A729714AF95796,SHA256=1924BBAE145E886FC376FE9D01DFE72D1A8D7501B0530032B84B6A83DE1BAA00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685573Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:00.809{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26255519E801719A03AF44B84E4D3D7A,SHA256=B3D5BD02F358BA9C203127B2617CBFE855026C6206894EF3B444654A6BA22EC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685572Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:00.387{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71F2AC3D8467D9F4B9E4DA339CC2272A,SHA256=A380DFCEDBC1AFFFE1035D4705B975C0D45FADD7F1F3A7A24D68EF8EE73D0BB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625086Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:00.713{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685571Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:26:55.468{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65162-false10.0.1.12-8000- 23542300x8000000000000000625089Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:01.791{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D07CC503C5330BB7C5276DCF309B8331,SHA256=F36E898C06FE5F5C000996111B523D8453CB5390AF5D1F30C5FD45005FD337C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685574Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:01.402{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=759C6A25E85DF0A607A6211EBB304648,SHA256=154B65037171EAFAC933B1182E12EE379D5683F758337C099B09D9774DD5BC37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625088Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:01.713{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD827902873BB558510AF6546C79C4F0,SHA256=D95092BA9C114B77DBD1FEBE9265CA6FB99E76511D14E892E875BB6173860904,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625092Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:02.883{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C9B16B588162DA476EBB57CA98B4ECBE,SHA256=051B142BE8683F46195FBB90DCFEF6BF096329CCFEB227CEE6A84EF08809896B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625091Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:02.821{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9AF8E38C19772A76719BCD6934077E6,SHA256=EA63253901AC5911798FD51CEE30F1DAF95604E2584C69EF1E4EEDC443657DA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625090Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:26:59.558{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51691-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000685576Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:02.434{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E387D0B8C903A6D3FE8C6255558D3883,SHA256=0247E2721ACE56DFEDDC2EEDA74ABC5DA7910E680E7F14726C87243861DE964B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685575Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:02.293{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BC27F62C34549868CF0BC31C22B030F,SHA256=0AA86BEADF7611E0EB2DD05AE818F2FEABCC18EE9A749C10D4C4C314C8BE356A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625093Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:03.852{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC58B0D939DF03F198D0A8180DDA2749,SHA256=2BF1FE31F520AF2C72C1E48CEF485F6EA6FF8DF5F6375DDE024B22F6117B6FF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685579Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:03.762{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685578Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:03.590{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD02A172CEBDF140E7F7B3FC8CF6E987,SHA256=E8A48EC042A144F8B054D3F9496A9EBFEB5EF6FEDC9C0B80F52D32CFBDADFD1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685577Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:03.449{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1765678B695972EB4348FC7ED5098550,SHA256=97440C631084680D231E313280A2D903A2483022B84DAFBE416C467AB40A9144,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685581Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:04.637{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D09484D00021F6A521A6D43FD346D447,SHA256=6357F4AA25015CAD87DE3E4B1EA28850CE88F900EEC3CCB9ED3F589B31469AE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685580Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:04.465{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=768BE6470E706C832DA10F54A0735368,SHA256=497AC653B1058144AD998B432C05998526F002F982C744052ECE7D18B36243E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625094Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:04.868{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F453E98B96C504637A4D1DC4118220D,SHA256=141A2A634C5850A634EA042BB5F240F0ED126D123A1BE93C3E6CACBA517BD3BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625097Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:03.072{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51692-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625096Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:05.868{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC33BA48BDD590D826FE0286630ECC50,SHA256=FC7B0CA5B30B1B4E95EE7FBADAD47C11FD3A1BC2E4AF80B92518866AEE342E7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685585Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:05.871{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D807BC890C80BCC9C93356EBF05CE493,SHA256=AF7CBABF121B749977899D24D51F2D711EEEF0EBE90A07736BC5BFE1EDD7FBF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685584Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:05.527{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D81C4AA486E442B7F31F350E779A550,SHA256=AD21730B75C03ABF27CECFACB197B74C3FAE100268AFC58E69AB812098BDDD4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685583Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:01.156{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65164-false10.0.1.12-8089- 354300x8000000000000000685582Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:00.562{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65163-false10.0.1.12-8000- 23542300x8000000000000000625095Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:05.227{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FAC8734ABF95313E6828F2E4AE19321,SHA256=C2A5F3C30E64D19CC95E5FBD55BCBDD9A08D69CFA8D6DAAD79752F716858FA49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625098Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:06.870{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05269DFEE8077D88D8225F2885075748,SHA256=7E5F94F6D51B85B76240E9ED8B0AE990AA796AE4D07426B19B609044C63D087C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685586Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:06.559{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DCD2D7D89BF31BBC0F93F449756C48A,SHA256=9088885316D7D17F323E966DB13BFD46352748C9A29D99014BFEEC9C394F3C6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625099Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:07.888{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7254ABB14FF34E7C8010BEC6F17BF53,SHA256=EAA31DDC2D426706AB8FF0E3216B9C4FD3572CD0F445AEA946C3B409E5972871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685590Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:07.590{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CBE0376355378AD60302D889BC7C015,SHA256=6261FFA19593B87DB7E8BF581B3355F82CCC3AAD26FC6BC8CA7FFE6BDAF40C36,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685589Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:03.203{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local65165-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000685588Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:03.203{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local65165-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000685587Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:07.012{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C5039E11ADA9C405F180561CCFC8B7C,SHA256=D0150A1AA0F03E75BB30D0A9AFD10333DB40F1758C557A9164B239231272FF21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625100Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:08.903{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BD352F8D9D19368A085E3481DA231A6,SHA256=DF02DF8A2EA60C2403A0D30428464B38E51A9724B6EFE0B757C8D541DA1ACCD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685592Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:08.590{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D628770BB924C02987BC6841DDF85638,SHA256=F4CB12572AC08E37FCD0753644E8429902586729746F9EEF4DE6F3ABCE67548C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685591Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:08.246{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62811C394021689C7EFD03460EFA21BC,SHA256=495783FE34EA8338C305DF2A314AC95A34F79DA0344FCC6D9E6575BD4AE82DD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625101Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:09.903{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F5B14D7C55D303345E062339AD12E5C,SHA256=755C656D8AC4C783BA71A072AD9DF13B2D54DEB979F4201D66E87789E86C133D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685594Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:09.655{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE5881B34CA819065A65FAC304FBB0D9,SHA256=76C06B593C144816F22D4A5D1B0CA0A0F25DB884C4D214F05B7C6DAAA68AFA49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685593Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:09.280{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DAC1036E65C3178645FEBB094E21B12,SHA256=82083B0FFB48F539D7A57A670FF50B9A5BE0BC28D62E71F48856F3808A2CC0E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625102Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:10.903{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E01A1AE1C6BF0B68AD75432AE63F2E5B,SHA256=5E7F52DFA781704A5C3C68D08B09F8E7593B2682077081C029F8F0560AAE22C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685597Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:10.792{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD22064C3D4E353304EB4606077C93E9,SHA256=3B54BC6851FF7241701F61D4925B09C19331B145EA659669330718802DBB7930,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685596Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:10.792{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C5AB7BFF58F28EF2D8701EA8047773B,SHA256=86F05A4242FE4D1E3B113FE148CB1D27CE3DEDFD6F05311D52DC09BA8266ED69,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685595Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:05.641{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65166-false10.0.1.12-8000- 23542300x8000000000000000685599Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:11.937{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26BEF7A2D58AE23C77AB03834455ECEF,SHA256=04F00460A6D69D0AC96558F100ADE3D52F9886AA8BFA34BCBF2AD37AEEE236D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685598Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:11.828{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C58ACE8A1F687D30D8153FAA0DF6368,SHA256=94AA2529121CDA31810DA7E1F75878DC064718CBB71FB24BBDD13B065C0C7F6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625105Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:11.934{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DA6ACD7309392A872FEEC0A8211856F,SHA256=BCA34DF6825B9361845970D20EE059130673180DB454FD730858B396C8EDF3B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625104Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:11.231{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B547EA4CC8BA17FD377A275F38D6C357,SHA256=89B35F0DDEBCF0F6801EC5C489AFADA650F2B7322267475F20F8FD92FDCCADDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625103Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:11.231{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BD7E295701060A8A6365C2980C3DAAC,SHA256=F398D637DCE9BAB7DFDA8BF6BDC3BC4C9713ED20CD2153298B9F72ECA9CF505D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685600Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:12.859{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9879A23FB53E6AF45F58D0D3DA629D10,SHA256=2897979300C540649A658CEDDB88F8CB623C49C92FD4AB7666D4B11DA3253C16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625107Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:12.950{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52215EBC06AA015F91C77D71E6CB70E1,SHA256=5893D51504DC45E4669F7A6A217E4B92EE4CF4CCA022B4297CA4B7AA744E0563,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625106Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:08.967{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51693-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625108Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:13.966{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE7E3404216FE77F1CF80384370572BF,SHA256=210ED13D1D7DA62E62F7AB2AF895C8A5FF2855260C2839FECE8C5A11DAEF2800,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000685619Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:13.906{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-02E1-60B9-E352-00000000C401}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685618Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:13.906{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685617Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:13.906{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685616Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:13.906{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685615Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:13.906{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685614Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:13.906{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-02E1-60B9-E352-00000000C401}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000685613Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:13.906{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-02E1-60B9-E352-00000000C401}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000685612Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:13.891{D419E45B-02E1-60B9-E352-00000000C401}4316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000685611Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:13.890{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A431F62F050C8A9EC764B712E5ABF28A,SHA256=E3B01084D35D1E70BB45B9D5A4593C92B6265AC80A5D7148296F602110B10138,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000685610Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:13.406{D419E45B-02E1-60B9-E252-00000000C401}7042208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685609Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:13.218{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-02E1-60B9-E252-00000000C401}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685608Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:13.218{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685607Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:13.218{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685606Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:13.218{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685605Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:13.218{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685604Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:13.218{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-02E1-60B9-E252-00000000C401}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000685603Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:13.218{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-02E1-60B9-E252-00000000C401}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000685602Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:13.173{D419E45B-02E1-60B9-E252-00000000C401}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000685601Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:13.062{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BAF1F282F7F71C428C1376D12A2D4CA,SHA256=ABC5DA5D948A4496C4FDD8EE371143CFAAEB9761C3E51304FE5D1224B4BB1690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625109Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:14.997{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33D0D4076DE3B2BB624C206E4400DD87,SHA256=B2BA2D05310FBCE68AB706D90863E61D2AFA72630D45536D774AD4E0F8756E67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685630Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:14.921{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32681348EFB013B63BBFAE644A0446EC,SHA256=812C6FDCF7ABE4FEEDB066C454A105A460A9160A0F84ABE9D7F7E199632A4EB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000685629Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:14.453{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-02E2-60B9-E452-00000000C401}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685628Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:14.453{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685627Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:14.453{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685626Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:14.453{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685625Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:14.453{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685624Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:14.453{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-02E2-60B9-E452-00000000C401}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000685623Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:14.453{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-02E2-60B9-E452-00000000C401}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000685622Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:14.439{D419E45B-02E2-60B9-E452-00000000C401}860C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000685621Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:14.421{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F00892599D81C922396EEB8D2CBC4E60,SHA256=D664F015B928A43D8CA60C5DDA3D4330044A0653660D8FFCBC22D1BDF35FB73B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000685620Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:14.156{D419E45B-02E1-60B9-E352-00000000C401}43166928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000685650Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:15.953{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B563C84201B61EB0286CFF92C1D114C,SHA256=5C872A48AD9A7A556751C135477C28052EEBE52ED870F690DF44C4D7795488AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000685649Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:15.875{D419E45B-02E3-60B9-E652-00000000C401}48402180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685648Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:15.703{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-02E3-60B9-E652-00000000C401}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685647Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:15.687{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685646Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:15.687{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685645Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:15.687{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685644Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:15.687{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-02E3-60B9-E652-00000000C401}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000685643Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:15.687{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685642Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:15.687{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-02E3-60B9-E652-00000000C401}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000685641Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:15.689{D419E45B-02E3-60B9-E652-00000000C401}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000685640Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:15.453{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A31D7773665722C6215C43392F43BC6B,SHA256=07C543BB6695E5097881E940F9FDA8A0B4DDDBDA28216B5F772C906F24DCC1C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000685639Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:15.234{D419E45B-02E3-60B9-E552-00000000C401}69924516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685638Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:15.078{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-02E3-60B9-E552-00000000C401}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685637Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:15.062{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685636Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:15.062{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685635Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:15.062{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685634Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:15.062{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685633Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:15.062{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-02E3-60B9-E552-00000000C401}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000685632Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:15.062{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-02E3-60B9-E552-00000000C401}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000685631Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:15.064{D419E45B-02E3-60B9-E552-00000000C401}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000685661Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:11.409{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65167-false10.0.1.12-8000- 10341000x8000000000000000685660Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:16.568{D419E45B-752F-60B6-0D00-00000000C401}9047060C:\Windows\system32\svchost.exe{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685659Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:16.568{D419E45B-752F-60B6-0D00-00000000C401}9047060C:\Windows\system32\svchost.exe{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685658Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:16.359{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-02E4-60B9-E752-00000000C401}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685657Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:16.359{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685656Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:16.359{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685655Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:16.359{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685654Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:16.359{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685653Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:16.359{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-02E4-60B9-E752-00000000C401}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000685652Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:16.359{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-02E4-60B9-E752-00000000C401}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000685651Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:16.360{D419E45B-02E4-60B9-E752-00000000C401}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625111Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:16.153{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B547EA4CC8BA17FD377A275F38D6C357,SHA256=89B35F0DDEBCF0F6801EC5C489AFADA650F2B7322267475F20F8FD92FDCCADDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625110Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:16.013{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E86EDB3FD434EA8AD86A747DE48CB650,SHA256=AAAE293561081F80DCDA0ADDC064FAA6DB239A75C523422EB7404964818FE14D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685671Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:17.187{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EB151DBD74CC123375B3842558997C3,SHA256=A6BE57F4BEFE3A4082B6CD601550FD699D38586246965FBA0E548E317BDE3B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685670Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:17.187{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B3150934051B6D9BB89BCD83EFF377,SHA256=7E633AC3C6FED8A056D94BA1E6A0A1C57D7E88854696A1A3A7A92BBEBF819EA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000685669Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:17.031{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-02E5-60B9-E852-00000000C401}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685668Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:17.031{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685667Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:17.031{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685666Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:17.031{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685665Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:17.031{D419E45B-752F-60B6-0C00-00000000C401}8486848C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685664Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:17.031{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-02E5-60B9-E852-00000000C401}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000685663Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:17.031{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-02E5-60B9-E852-00000000C401}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000685662Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:17.031{D419E45B-02E5-60B9-E852-00000000C401}1560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000625113Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:13.983{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51694-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625112Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:17.013{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9685D24D0001C58BB3F7883DF129A70,SHA256=7693A37B29A3352C30403421D42F064BF1E77A4E657F9FDD2DFE40F2C831F6B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685673Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:18.328{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E9EF0D2CFFE1E80DE461B9A40E517064,SHA256=2A81450A6FF5B675C635C5FA2B57ECC3B3C27AE102383873ED48AB102FD57A8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685672Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:18.328{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BFE06C81EAFCF65258ADE76F160FAF0,SHA256=FDD3AAEFBE796D1789C6DD51148D2D8C4E1BC25AAA2C9AD3C779273CFA7668EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625114Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:18.013{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B79C36CE710CC113D9580B6436539060,SHA256=871171A317248E92ABC59F38BFDAA57D31A29E260D4F5DBC9901A4A9EBBCDFBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685675Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:19.468{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B35B31F94179F58FE780ABD3B72508FF,SHA256=97A65412230F6C3A7BA8AECC210F000341B6AFE7BE08465772BD6085BC721B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685674Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:19.343{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1433F105C17C902388A09B9F2CB4C24D,SHA256=74BCFC0634CECFDD9C7A28C39F112F498E990B6F34583EF0470ADF63C737207E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625115Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:19.013{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADF2481F8A7D60ACC6B5EE4BD34F78C5,SHA256=BF91A3EA854BC3BCE7C6474DF2AF60B5552D5DEE59B3AC40681FEDEC5D4CCF90,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685678Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:16.440{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65168-false10.0.1.12-8000- 23542300x8000000000000000685677Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:20.609{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CF6040C14862D203578F2629F71D736,SHA256=AF557A9BD80B0293C372384DF0B36EA7E05B0989F5118CE239B004181A4E2591,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625116Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:20.013{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC956B5EC460C6F51C4DC17B838FC261,SHA256=94B52F6D2EE1D058A4595BC1EDA0F98B48199A434C0EFD1F198C632F4F2E8717,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685676Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:20.500{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D9268C572E2AC7BD8F0E7A0A8AB84E6,SHA256=3229D69ED3620961E39107E14BECE45BEDBC980EF10F089FB0CE652D478FD8D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685680Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:21.625{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67D4706E318A4E90D30D4754E089579D,SHA256=13638DE0E37E2BFC02BF0E8F3735FBF066F6E791A556CF2B6CE7C9222B675C51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685679Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:21.625{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CDEBF3F3351F8238BA9F0F76BBF2B5A,SHA256=6F2E0E2EA6938CA7C8BD428FD67AABA81E45221BF0600644DEBFA3ABEAD5BB5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625119Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:21.278{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69E1A45F9561FCA106929CABD012725A,SHA256=39467C29EF347E034CCED4411548AF6A7194712E731190B5E2AB423CE280863A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625118Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:21.278{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B46861B1372DF230DADD0F311376E0A1,SHA256=3B3C2F5D20DA11F70F9D1671E69A4EFF444E19AA19EA55E9B9F401DCB551C63E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625117Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:21.028{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5842D1E4E3FAAD4520CFBC03D1B4F8A6,SHA256=F46A6E2DD0DBF54765922F31CBA6AAE96D07BEF58A6B930746707EBFD8C0589A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685682Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:22.756{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E07E4F21888C8ED3C377584642818FE,SHA256=C6F118272F63F1C61BA440D8C0B9345D18DE6BADEB67054F29CE7EC9E1734095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685681Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:22.647{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4176FA154455CCEED9240F58BF7014A0,SHA256=39C443ECEC66BA1D70CB94517E43A5556FAF8EB1389684D8617DB0346A5416E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625121Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:19.123{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51695-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625120Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:22.028{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49E93EF6C01D5478725B2A443453FEDF,SHA256=37C8C06641B4C8E9E8567F48BF56759EFA29E8DE8349052E635D3D496037CF74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685684Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:23.897{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74525C4EFA1C35290F39E0D252DF8637,SHA256=2A29A6ABFCFE18B45F2514DC273A4718A68CA7609294121592A2DD575E92C40C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685683Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:23.647{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32EC875E4BAE08CE9E23EB0DE97C50FA,SHA256=E076D66868A5573F3F422A239767BFAEF8357A1C1E38D12A72F1615065B43112,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625122Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:23.034{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=503E5A7A417C4297D53395DDE73679B2,SHA256=AE65D49760EBC576B65D6AD4698429E80562B8C174ECA3FAC8D1519AB7377B2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685685Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:24.788{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84092A78AF5F486B7BAD09FB1B9E6901,SHA256=67ADC4DCF2F77B56BF301601BB84326F4FC2370862ACC833FACEB4494A95AE5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625123Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:24.034{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FAF76F8E3727E5E734918D6CAAC9B47,SHA256=42617C9CF472F2F3F67319DA2A6D781939D0440491EDCA313CE884180FFDB3F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685687Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:25.803{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=958FB11AF54E788E6BD92A8F71FB831A,SHA256=738DAD05E78D17994505A7244DE824CA2FF6EA47C2F1187ED173C2C66A03BA61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625124Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:25.034{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D74688424202A728931617C09A9D27B,SHA256=12C8A71EE61A5FC70AA3EEBDD6439506C1800E8DDA42E4244D65C5D0FECCCBDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685686Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:25.038{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47FFDFF3CF7C568B2DDF3F850064BE08,SHA256=F2A8C1F8033496C2916213CE86480B3A4539D0AF64F89E80D462E781A8796A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685690Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:26.819{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=816F715A36E83F905759B6FC62ACAE21,SHA256=F9BC1D1DF5E714294E70FA9A6028CB5527E2A7D7F16ED323EB51DD4D3DDCA238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625125Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:26.034{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DBE41FD679DA10B81BF2FFE4CA0DEBE,SHA256=E56705B6970A59FF5B73216AA152A894AD6A7767D3BF61434B2516CBCDF71949,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685689Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:26.178{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0E6615205BC5D90BD008D122382C07A,SHA256=F1A580414E58FB80D36ED5291E1C1401B3AF311352E4AE9C75CEA9264A27859C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685688Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:21.494{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65169-false10.0.1.12-8000- 23542300x8000000000000000685692Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:27.835{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB672D0C5575A739CDC99E63C8E1FE2B,SHA256=7D78CF9F898C2C870B1E5B7C7CCC0B8D9309EADA15039AAE11DE68953EF3D3B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625128Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:27.112{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D9295E1AC6F48AF0E26F125F1F8AFF1,SHA256=28D9CCB2DF5D79B7B0D0C14554A3D49485691E54E75872970074DA3D61433D92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625127Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:27.112{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69E1A45F9561FCA106929CABD012725A,SHA256=39467C29EF347E034CCED4411548AF6A7194712E731190B5E2AB423CE280863A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625126Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:27.034{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F8769C962EDB0B235AACEF5020B2EF7,SHA256=6151B115AA326AA17A6E5344017D0906F9F07454CA83B47841CE3F41EEFB1859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685691Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:27.444{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2681FA107FDE2F8130761D866EC1605F,SHA256=AA76ED692898BE5C3E8EF7644A23CD6D3E2FF96DC1A56499D7E9D61696ACD7CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685694Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:28.866{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78A62E618E324C66FA0CDCC7DB1BA1D6,SHA256=E6360F22BB2E6758CF3B8593C3239A95F87E518B368B2FB1BC36C0D0D0CD3AFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625130Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:24.942{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51696-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625129Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:28.050{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD3CA04E7D8D22543DD0F605A965CCD,SHA256=E22E6F7B220E5A2F21195DB10CCB3ADE534716F10E3DB3CD590CC0E95AE78429,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685693Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:28.569{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C02B6AECCF3A855D27B34500834B7B6,SHA256=EDC81D0528D69A6337869CA38B29E6547138EBD83DB2F0CC683B664AF19A3063,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685695Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:29.897{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3609D45FC4F3EC5DF6D88CF80C8BC93C,SHA256=C60D6CED05078A3895C43F42281AC65F636C073C81F5B57D78063D7B5E08658E,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000625151Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:29.440{97C2ED32-02F1-60B9-4C5D-00000000C501}5776C:\Windows\System32\Configure-SMRemoting.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000625150Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:29.425{97C2ED32-772F-60B6-0B00-00000000C501}628676C:\Windows\system32\lsass.exe{97C2ED32-02F1-60B9-4C5D-00000000C501}5776C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625149Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:29.425{97C2ED32-772F-60B6-0B00-00000000C501}628676C:\Windows\system32\lsass.exe{97C2ED32-02F1-60B9-4C5D-00000000C501}5776C:\Windows\system32\Configure-SMRemoting.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625148Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:29.425{97C2ED32-7730-60B6-1600-00000000C501}12042840C:\Windows\system32\svchost.exe{97C2ED32-02F1-60B9-4C5D-00000000C501}5776C:\Windows\system32\Configure-SMRemoting.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625147Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:29.425{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-02F1-60B9-4C5D-00000000C501}5776C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625146Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:29.409{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625145Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:29.409{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625144Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:29.409{97C2ED32-772F-60B6-0B00-00000000C501}628676C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625143Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:29.409{97C2ED32-7730-60B6-1600-00000000C501}12042840C:\Windows\system32\svchost.exe{97C2ED32-02F1-60B9-4D5D-00000000C501}1228C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625142Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:29.409{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-02F1-60B9-4D5D-00000000C501}1228C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625141Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:29.409{97C2ED32-02F1-60B9-4D5D-00000000C501}12285924C:\Windows\system32\conhost.exe{97C2ED32-02F1-60B9-4C5D-00000000C501}5776C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625140Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:29.394{97C2ED32-9094-60B6-BC06-00000000C501}9441324C:\Windows\system32\csrss.exe{97C2ED32-02F1-60B9-4D5D-00000000C501}1228C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625139Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:29.394{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625138Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:29.394{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625137Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:29.394{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625136Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:29.394{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625135Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:29.394{97C2ED32-9094-60B6-BC06-00000000C501}9443580C:\Windows\system32\csrss.exe{97C2ED32-02F1-60B9-4C5D-00000000C501}5776C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625134Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:29.394{97C2ED32-9D3E-60B6-7A08-00000000C501}33644180C:\Windows\system32\ServerManager.exe{97C2ED32-02F1-60B9-4C5D-00000000C501}5776C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1459ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1454f0|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+fa3761|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58dd95|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+559c06|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+558e46|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+70e8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+c11a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+7ce0 154100x8000000000000000625133Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:29.390{97C2ED32-02F1-60B9-4C5D-00000000C501}5776C:\Windows\System32\Configure-SMRemoting.exe10.0.14393.0 (rs1_release.160715-1616)Configure-SMRemotingMicrosoft® Windows® Operating SystemMicrosoft CorporationConfigure-SMRemoting.EXE"Configure-SMRemoting.exe" -GETC:\Windows\system32\WIN-HOST-236\Administrator{97C2ED32-9095-60B6-4298-3A0000000000}0x3a98422HighMD5=59EF03A3CE316E02EC6C916E86715282,SHA256=E26FE2AD8452293B4B1E957B21371693996941A4D3D2371E7E51A35892C59418,IMPHASH=C13E4B07CF35D56AB40B9BAC4947EC02{97C2ED32-9D3E-60B6-7A08-00000000C501}3364C:\Windows\System32\ServerManager.exe"C:\Windows\system32\ServerManager.exe" 23542300x8000000000000000625132Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:29.347{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=220170E4FCF8357EA2881E930765CA94,SHA256=3509D17612191D483F26E1369F726A8C02D28DCD7617B0CC4435637392A996A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625131Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:29.065{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B8E332345F7598F36DC62E92E9E375,SHA256=9EF6C622548A0FED0135CBDD5376000C3C941402F1AD8D2B312BC93E7F263698,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685697Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:30.928{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC83184EF63ECA65D01863A08B8F3AC9,SHA256=05195D807C51BE6DF4ED85DB65B1F9E3C526EBFA97E3E2892AD7DA87451E4DA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685696Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:30.069{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C42F574663B6AA88FE9659DE4B9AAAF,SHA256=6402D1BFAF1C0F5BDA07BA88CC1079EE1AD490BA780293F2C723CAEF31396CCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625164Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:30.597{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D9295E1AC6F48AF0E26F125F1F8AFF1,SHA256=28D9CCB2DF5D79B7B0D0C14554A3D49485691E54E75872970074DA3D61433D92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000625163Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:30.440{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625162Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:30.440{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625161Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:30.440{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625160Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:30.440{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625159Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:30.440{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625158Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:30.440{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625157Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:30.440{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625156Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:30.440{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625155Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:30.440{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000625154Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:30.394{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=41B0927B0BE24558936965A2FBB146DC,SHA256=9200F820529E9AD1BB287EFAA2682244CD911131BFE7F6BAB7C5129D297F13DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625153Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:30.394{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=730A6BAFA3D2288AE05BAD624C18C405,SHA256=2663ACA26965EBC4F1474BEB787236050C530E79A6224122562C2371A068456B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625152Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:30.065{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A9AE0FD7E71C05FEC7D534AC39D7588,SHA256=17F1E44F49A594CB697F7A40DAC30B1D26BCA95ED163A8A3BAFADE494574F873,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685700Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:31.975{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77E4089384CE18B2B808C5EEE2BA39BD,SHA256=243F38B6A8D943F4816002E4D1D761FBC189085A90733E40B580CEE09630288C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685699Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:26.588{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65170-false10.0.1.12-8000- 23542300x8000000000000000685698Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:31.272{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F49AE88A53A963EF3B5518D508C1DACE,SHA256=62F58910B4C9E74CDD366B92C85C808E15BE80D6BEED158EF804600C76A26086,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625167Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:28.306{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local51697-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 354300x8000000000000000625166Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:28.306{97C2ED32-02F1-60B9-4C5D-00000000C501}5776<unknown process>WIN-HOST-236\Administratortcptruetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local51697-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 23542300x8000000000000000625165Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:31.065{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2BC056B96C45A4286BEFFB25E823E02,SHA256=32EEA80840121EA521C4C5E08E60264AD2565545DF9A5B86A19C428CCBC79715,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625170Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:29.992{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51698-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625169Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:32.284{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C27DA27514C1D81F9ACE7273FA8DBDF,SHA256=12FCFA4B105272BBF63E9DF8E1B22E484AE2C39FABD8A861463523488B10F122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625168Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:32.081{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92E4F75ED55E13A48B5188B803851DAC,SHA256=2272C47F8F5F8AE90D3231AAFC8FA31FD2809C2C3EA7348E982257EE8CC63A1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685702Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:32.803{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F58E7491B31084BF5A95B7715F8E5D5D,SHA256=E6D44FD9BBAE20713E6BC6DE8A96C96A2BD8AA096BD8CF3EFD9DD260B73CF0F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685701Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:32.366{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0BC5256FB5C2C1AFC2807B223848156,SHA256=E1A5440DDD845225D06A6231F55D8E94FE7FC858123F62574DD7D019082DAB23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625171Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:33.081{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=623294E52D37EB2BBCFD201B8E9F79E1,SHA256=213B2D11EEB64A51E5044F90016655A44D03B96879AA7B01647BC43949212703,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685704Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:33.491{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E03B9D5B20A7C175305F848127B78AEB,SHA256=6E1AD979244E251B2535888942D3BCC7080F7F40EFEAF57CC7E1280370E57173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685703Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:33.007{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF9E2AAA507C21E9EFE93D68DAB966DD,SHA256=1AC39C225D276A1D10308C882A59F8F9269CB4B356E5896C7E31751FEB79950B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625172Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:34.097{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC62832339BED3C618CC3C97A74678B4,SHA256=D99B6B240F8AC1FE2A25D8EA4C468E00E293CFCD155796D3BAFBA1B32B24F077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685706Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:34.757{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5554DF7A0341082012CDAFB405325E66,SHA256=9583F7EA479328A17243F713F6EFACE6C3821F4ECA68642D547D8DEBE2D52B36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685705Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:34.022{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F2ECD5A45ECB32F23DD316483372198,SHA256=15FF073DA3F025EC80FF5A332432AC594511E18876A4623FB5A337113599E471,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625173Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:35.097{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C04EBB791479D785E950008044269D1,SHA256=94B8D60DFB58FBEE257CDE27488B126E0D40D5116EFC4276D62DE8DC4F5D5676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685708Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:35.913{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C495ECE647828E862ECD87C56D4FA323,SHA256=004CFC48BE5B8DB19EFF112652F5C9EE89D7B97534B760970A90E037F798B3EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685707Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:35.038{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5F9AB7B96409988FCD662244E65C950,SHA256=CB822A53B03105055F2675327D01C9B48516D6F9CDD6423D6652C5FF3196A3FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625174Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:36.112{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5EBCCF2100C8A790D378E6E94C7BE59,SHA256=DE5C296A0785C49B4F5D34735A5AE7AFC39E21765867E5B8368B2B02DD19AE90,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685710Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:32.541{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65171-false10.0.1.12-8000- 23542300x8000000000000000685709Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:36.053{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A462BF98790CB56F84C96989357B3F4,SHA256=535A58BDBC9E9CD5A0FA5A9C5A4D1BDA5D93BDE6A446454BC38CC0D68D7A4983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685712Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:37.397{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2C29176EAFDE1289CBB1C5920C26CA8,SHA256=9B7BE337B127BC10BEA584BF4DEFAB48092FAE220D56E7EE73CF76C2A0219ED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685711Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:37.147{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99FE2F62ADB2BA3C319DB067FF856E11,SHA256=5A9BF88AB0B666E763E265394EAD1B73C2604D3253CA3A286681C3C5815A3160,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625177Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:35.051{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51699-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625176Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:37.191{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F74D50379BEA7B692FA187CA946620E,SHA256=6CFC44E60838988309A535CB41A07A820EC6BE1977E1379560D31885EFE5C24D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625175Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:37.128{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D1801320FBC5C6110A834A08A68252A,SHA256=4663E217B96075332F81C43DD01C44CAF0401404ABFCEDC08D2291E9BE09606F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625178Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:38.144{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E90EA9717A941C5FAEEFFD1A5EA56218,SHA256=547772FDCA2BDB7542399435305065EF16C997B74E54779C896C4F867C3317AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685714Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:38.522{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55B2296AFE8E19F60C86F83A069AA068,SHA256=4D45100C1738C4FBCCCC84E983A3B5C6186503CAD01C3DC1CD00C191019C15C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685713Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:38.163{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB521D0F7C9D16E40B193C5DBDCD602C,SHA256=EDDDF8897421FE1F556F3FBD61A3013963400794591C53D64C607B29F1F9CCE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625179Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:39.159{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D76ABEF37C158D87809238B1D8F3B0C,SHA256=B15743620D91136014CDD9A8447B65472355C4AC26EE2CB1AB98265086B86181,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685716Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:39.663{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88784562175E8759AD9A9D8B3CDC3EF8,SHA256=597F56ED0A102F0DBA55A21877D79055398876834FBFE5D35EA757EA6EA3BFCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685715Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:39.178{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E284A9DAE624B4CE879C5631426041CA,SHA256=F797BC84652E8777F6D912093A8884481D601D8B6FFBEAF49EA579DD06E582D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625180Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:40.159{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6EAB2D421EEA2BB0CE307A2F2B7EDEE,SHA256=958F521C41F444D969AB5889D3B8F6ED46711233BBEDDB4C6B25C0CF911812DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685717Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:40.225{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20D8B21A4C3D86BC2CD792273C4D2170,SHA256=B94A6B51181464BBA2B1BF9646D799BEB9A945AADD07A090305AB04808C0E7C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685720Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:37.588{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65172-false10.0.1.12-8000- 23542300x8000000000000000685719Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:41.413{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07481EABA2D036BCEF5C21FE917FA535,SHA256=2B5A3E254CE9745F9B64B2E6D81ABB96EDC7BAA2A20DB221892F410515B31FBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625181Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:41.159{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E92C7C156C4DE248C1DF4EA67AF87E08,SHA256=461FC662644DAFB0DCDE4AF3EE798009073B6FF641A5A8581C6E8E7A00C90256,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685718Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:40.991{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91C0F2084C27EA0ABADC99D3B110D375,SHA256=BC24617659E957A15BF0A67E81464A4FD8D87E1762A0790D8F2BDFA0769D8361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685722Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:42.418{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBDC2A6D3709F2AFC19B4B323AA6BC2E,SHA256=BB29D2BB5661BEC97B248AFA5E16495E7F11B28C981F4D0F559D9613B051E0CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625182Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:42.175{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BB9148AB71E8927C445CDB1F039AD03,SHA256=16EBFE4EBA773C282599F2E46E0717BF23E52AFC51EF95E4B56D99A5AC111A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685721Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:42.402{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA6D4732E05DC018C020721F473D2212,SHA256=7C91F6705039499A318CE4F1EA7AC2B24DC8068E97DE1A98CB33D1AF115ED495,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685724Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:43.574{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D0E7E0F9E5BFF6EE5868EAE23EBD10A,SHA256=D26AFE136B0C3A2CDFBF4CFFF06CEE3301EB7CF3EB8F2D8AA9217CE4A7527470,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685723Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:43.433{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59FF873931764A675BB47516C9CADD7D,SHA256=8E5851E615947C24DA675011F63461C6F6F0E721B7AFDA931C4A7780CC09EC64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625185Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:43.180{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B90338F2059DCD08B9AABB15A408FD09,SHA256=26B747DA63568210AFD77DE659637B9F29A73F458CF6D5D547F68D19D818B652,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625184Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:43.101{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=198689FC3DB941656C47DBD12C1405BA,SHA256=CA01641F2D7BCE546143EB0D3B132FECB74B004FD2926659F03DB77AD17971E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625183Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:43.101{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=381034AEBF46C31CC38380C9C17EB3F3,SHA256=4F603D93E353744B38F2BAC8B0DC4CABAE2BCF36665C57720D168F7BE7E480CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625187Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:44.180{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E553548CE97209CA4C2B9D6A71907BE6,SHA256=8B4380083CD92E80F023F52371F1273965153A8E9E698D036D02E47196494F01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685726Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:44.714{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D37A4FF3C76E85E7CEEB48E8C5294C1,SHA256=12E8B2A796567BD5325E6515A1762D1EED7BC613306B1EAA63DA4E6064734281,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685725Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:44.449{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE23622A480298BE320BD51C3713ED09,SHA256=5BE5BC11652B6F579E63A83B81D44F4186B8E28DF55633A91576792DD71A5F53,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625186Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:40.911{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51700-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000685728Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:45.871{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FA47D87421EF8340E632B34EF0D593D,SHA256=861AAB6EEF9532FAFE532A66E94F65069259383EBC9190A5405C8AFA0FE93767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685727Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:45.464{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF10E2B7524717F64FD7C90BC6E44698,SHA256=EAA28F00EBEC42F8F832852EBD5F873E9F1C571278B195F68671200ADA01FAFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625188Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:45.180{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B22D6517B896F78B5530B75E62ED6B67,SHA256=D470D575877F5892B3DDFF6CEFCC95872DA080F3D3372793C0988D7BD3E6D979,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685729Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:46.464{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EECBF3093D7027D6DDF9408B564ECD69,SHA256=4B9F986180D5EC444219C235881C3A6A04BBC6170A07AF07CEDF076CD01B9BE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625189Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:46.180{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81D263731B35B8F3271C963C43084EC6,SHA256=F1C12E4D1853845A55937D9BA6A43B1297A4303081D9E2D589B076322808F9D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685732Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:43.483{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65173-false10.0.1.12-8000- 23542300x8000000000000000685731Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:47.480{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50F5458F0A4421CD98491423EBE57B16,SHA256=D9B4FA1D0CA417151D6C062FDEB7C6105AC9270F488C6E62BA3EB5EB0FCD6023,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000625199Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:47.836{97C2ED32-0303-60B9-4E5D-00000000C501}24363020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625198Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:47.695{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0303-60B9-4E5D-00000000C501}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625197Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:47.695{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625196Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:47.695{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625195Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:47.695{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625194Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:47.695{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625193Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:47.695{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-0303-60B9-4E5D-00000000C501}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625192Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:47.695{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0303-60B9-4E5D-00000000C501}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625191Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:47.696{97C2ED32-0303-60B9-4E5D-00000000C501}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625190Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:47.195{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78FE700E4E0A5D6B4343FD100EBF8506,SHA256=764D0B61153EEFFF1EC76AE3F734D398CF3AF470A65CBC8E4678787A3FB82945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685730Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:47.308{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60B026E38C9BCCF50BDBEC87EBB5B7F2,SHA256=6B884CD0E748F200E7B77004C75CA9923122DF2D9085C0D2F022A39116DC5852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685734Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:48.496{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CBABAAAF1BB7F1200594D59D7EDBD22,SHA256=B1B131712CCAB79EA331E05C82AA2AAF29AEDA51A1D3D877EB147BFBBDA9F8FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625212Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:46.056{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51701-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000625211Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:48.508{97C2ED32-0304-60B9-4F5D-00000000C501}55405748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625210Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:48.367{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0304-60B9-4F5D-00000000C501}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625209Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:48.367{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625208Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:48.367{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625207Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:48.367{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625206Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:48.367{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625205Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:48.367{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-0304-60B9-4F5D-00000000C501}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625204Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:48.367{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0304-60B9-4F5D-00000000C501}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625203Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:48.368{97C2ED32-0304-60B9-4F5D-00000000C501}5540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625202Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:48.195{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58F7C6D3F61CB9CFC48EFADCACDD6108,SHA256=2B9C2358210077085762A7A4A3C53EEF6ED584004BC706872AC5EA2DB7ADB6DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625201Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:48.195{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27F578C839D87D99ACF58094DC02960C,SHA256=699E180581B775BE70CDCF9A1B52F56D64727EB5B47008A5920480CE7017D508,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625200Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:48.195{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=198689FC3DB941656C47DBD12C1405BA,SHA256=CA01641F2D7BCE546143EB0D3B132FECB74B004FD2926659F03DB77AD17971E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685733Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:48.371{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45C1990F8C546D0E5A9A9829D1FEF6C3,SHA256=8444DC340B262D48801D19012BDFA6EFFBE6C3216D8B485F2A21621AD97BA087,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685736Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:49.668{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FCB9FCF431989D39B9261EBD9668BFB,SHA256=9C6AE41D5F8701E774DF882A5CC4FE3FCB10F1E6F465E2A7D4D016CA483796E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685735Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:49.511{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F6559518E8D576346E07CC61166E5A6,SHA256=BE6CA01D23EB6068B0208354EDADA3D65FB0D178AA8B286463DF908C745F6184,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000625231Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:49.711{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0305-60B9-515D-00000000C501}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625230Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:49.711{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625229Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:49.711{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625228Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:49.711{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625227Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:49.711{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625226Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:49.711{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-0305-60B9-515D-00000000C501}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625225Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:49.711{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0305-60B9-515D-00000000C501}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625224Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:49.712{97C2ED32-0305-60B9-515D-00000000C501}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625223Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:49.398{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27F578C839D87D99ACF58094DC02960C,SHA256=699E180581B775BE70CDCF9A1B52F56D64727EB5B47008A5920480CE7017D508,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625222Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:49.195{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDDBD7596CF0DEA61C61D6F79720D38A,SHA256=60511EF76A1DD37B020BB44DB469D96F0197240EDD2F6640D799CC59FC1EA603,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000625221Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:49.164{97C2ED32-0305-60B9-505D-00000000C501}34761728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625220Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:49.039{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0305-60B9-505D-00000000C501}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625219Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:49.039{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625218Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:49.039{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625217Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:49.039{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625216Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:49.039{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625215Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:49.039{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-0305-60B9-505D-00000000C501}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625214Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:49.039{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0305-60B9-505D-00000000C501}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625213Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:49.040{97C2ED32-0305-60B9-505D-00000000C501}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000685738Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:50.793{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=329E28FE75768C1AB6611D3F3CDC7470,SHA256=1F93D685FF74DE971A4C7587969ADF6F5C33A1FFF2DF67599B60C59B39C7438C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685737Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:50.527{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AEC1AFE1B98669AA1629B366894881D,SHA256=81417284BD00841CF9F2598A7003EEF4EE28DE2CD02EE8278861DE1779E12DF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625241Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:50.726{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D044CE15BA79A4211F9E5355E3DB41DE,SHA256=1AEF348E11989CF75A7D568D49419CC1AB0DF2852AD1D83826DC0D3B3F10186F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000625240Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:50.383{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0306-60B9-525D-00000000C501}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625239Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:50.383{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625238Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:50.383{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625237Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:50.383{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625236Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:50.383{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625235Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:50.383{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-0306-60B9-525D-00000000C501}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625234Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:50.383{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0306-60B9-525D-00000000C501}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625233Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:50.383{97C2ED32-0306-60B9-525D-00000000C501}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625232Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:50.195{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C48B5662B62E397D3F04F1AA795E4185,SHA256=BAFB2822E5FED9C2B47A8F3C6981FF84873C0A0FA4B270710D3A06F73F73803F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685740Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:51.933{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91D73B3174354E915C35479988CD21D2,SHA256=8234015D402F877A21B43C188D2E1DFA945ABBC74793AF5FCD80AC0208173272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685739Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:51.543{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=254BA0599728EE6D94D9DB734CCBFCDF,SHA256=5EFDFE336B3F0633BF4B1334A47C21955867C44911E8F7D60A3ABCF65E2BE1A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000625259Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:51.805{97C2ED32-0307-60B9-545D-00000000C501}35123564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625258Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:51.664{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0307-60B9-545D-00000000C501}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625257Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:51.664{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625256Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:51.664{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625255Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:51.664{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625254Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:51.664{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625253Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:51.664{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-0307-60B9-545D-00000000C501}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625252Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:51.664{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0307-60B9-545D-00000000C501}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625251Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:51.665{97C2ED32-0307-60B9-545D-00000000C501}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625250Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:51.211{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C89414EB69972AA785B2912B3530B46A,SHA256=8BB370A7931415E6B8083D09857511FE8C47AF9A26DCD073CB594042A0DF8123,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000625249Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:50.992{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0306-60B9-535D-00000000C501}5216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625248Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:50.992{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625247Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:50.992{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625246Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:50.992{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625245Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:50.992{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625244Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:50.992{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-0306-60B9-535D-00000000C501}5216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625243Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:50.992{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0306-60B9-535D-00000000C501}5216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625242Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:50.993{97C2ED32-0306-60B9-535D-00000000C501}5216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625261Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:52.227{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26CCDA61438EA1B663BFF2FB72DC78A8,SHA256=1BC690B287E3AA6B803CB21D6B0854616957C157638E479677F9162492728A49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685741Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:52.558{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ACA1DCD64E71540B2B624490637889F,SHA256=34B8181C459E12A024F00E365872C2A6452082614D374F6095CEB0208E18621D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625260Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:52.102{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E5A253C67AB00AB7F71F64E63D63676,SHA256=87255BF526786CE3E0B9B34B21AB6D63145CA780423C920C7805EFC2B71C9689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685743Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:53.574{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=611CDD4649334F9897F5CA0728EC3382,SHA256=42F771AB5C0EB90FF42FF0A6079BD019A9E46F8A42B3EE210E2FE570BE550187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625262Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:53.227{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1769529BB9D392062F58CB2723A6A28B,SHA256=F399AFF54ADC314DEEFBE3F220D727A31B38755219CD44C2ADC5DE74D6508311,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685742Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:53.074{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91C3D26292C2F48240B4B6939E50F2DE,SHA256=6014C05A0153CDF303D85AC93838C7357C5611E3752D321E3986405F82DBFA70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685746Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:54.590{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE4D65D56E1682386B27EC15885E5DE,SHA256=B574E17FAC264E3609BE28CB018EF6C0FB6EE99BC31B6FA7084C89238CA6B57C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625264Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:54.242{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8F422DDD587842AE0884B8529E879D8,SHA256=EF3D9ECEF5088F6A7D0C519A9E9A522C2BD8EB26A9EC16E1F8DFAD4651032D02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685745Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:54.324{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE8FD34E8F8CF6E814B2BA8B1A0C3056,SHA256=4A78CB8AEE0E572A8322E7ABCCDDEDFEB115322553CFDDDA694B2301776302D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685744Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:49.467{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65174-false10.0.1.12-8000- 23542300x8000000000000000625263Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:54.086{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A67B3853CD1D7E9EE9FD19E52CF52BCD,SHA256=1DAFDE960D53FC3D611525069F02F9B3622ECBAC729BBCA74CD4D94345FF6C6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685748Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:55.825{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D83BF86D9C1EC80802C474B837C92B4C,SHA256=BE79101D54C575F0960214C53D9B3E4DA1B8C62607DB6091C7D4F4BEC5F36B86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685747Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:55.605{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C037107205E8AE91CCF9D432EFD32699,SHA256=D1F775E44436755D0E089724AAC3E30FB737D37E1E95FF8BDB351861F6DC4380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625266Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:55.258{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D795FF94BB1E18B086B6E5CE03FA47AF,SHA256=DC2D5D81FAB23EA47F2AA6233B3E6B40CCA00756B58F76FD7D62D7B8EE92CC1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625265Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:51.947{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51702-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625267Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:56.273{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D03DB10AAD22A9CF7B4FB6E029683C1A,SHA256=16CBF78402791CF34E18C05701BC248AE1BC60966037D9E43F8D594EC50E516C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685750Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:56.964{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C135A9EBC43ACE8EC102380153D929F7,SHA256=76D3F4AD4AC4088B73C09A5729CC58864BA1352D71EE65EA5D0368A4CCE54141,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685749Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:56.621{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5C122296ED72218193702B32165D03A,SHA256=8AE16F9286AA1A5D2236FC160F111F8D9F892D986EB18D0322105423F11B5DA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685751Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:57.668{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67D40FF0BAACC214FA72152B06F9EE3B,SHA256=7134D8D596C0375CDCEF1F91AE2CB7FEB6D37D3086A8994402DB41132D689B87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625268Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:57.273{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59A7DFEDF19F1C84C3FC44BD452C4BF5,SHA256=41977372CF89C71DB551C471EFDB6638A8064852DBA5911D4CC77EB8832739B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685753Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:58.886{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F87B1B24AEDA4840314A5A7F5CCEB2EB,SHA256=A7908ECB6E592121FD06F9F0B1D9058D642F512EF4897F67AA466E16D385C180,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625269Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:58.273{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE0B63C81488EFA30932F43D6F5AA20B,SHA256=B2D4F12D8B93EBD49EA52897463D415A73275BCDEC654C0E8B92BF54AAF380AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685752Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:58.105{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0B7C51481855DECD88A0159F0C6145D,SHA256=BBF711800C9E8988CE142B7B03E504ED585DCD04D2203386F166C0FB3B8BA544,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685756Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:59.918{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=535ECBC7A04B06279B6C15273F8A8100,SHA256=DE316949FD616187FAED6338342CC1125A2DAA13A85B5450DD36AF29EE775C8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625272Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:59.289{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45580C76903C4F2E8AD4B923D80C3FC5,SHA256=82CC20C04E10A3A716AB502745499D2EA5948C1574852D232B40FBB5FAA53AA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685755Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:59.371{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14FE1A57671C66A9F2FD68151221C521,SHA256=ADA035B190696BFAD7B5139A1C851BD96D9450ACD864DAF675F36B3682BFFDE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685754Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:27:54.639{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65175-false10.0.1.12-8000- 23542300x8000000000000000625271Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:59.101{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A9A15DA435D2E10B898B58EF32D5C40,SHA256=8F3C7EE42EE1BDB56B5E2C8791E02AC30CDE1A0F9C02365B1FEDFEEC7B2748E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625270Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:59.101{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CC3CE994B550A73654C7871B82B03F3,SHA256=911B9B23FF3B9C1BE660826C749E8498CE3E4A4D9C42412F5AFB8D0983ABD88D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685758Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:00.949{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C91B5D3284510D86EF6ED9B8FD18FE,SHA256=7E03B1C56A5FD5B0CAF9C305E32796F48AAD0715FE23032183A1019C1B83607B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625275Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:00.742{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625274Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:00.289{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=776EEC4D53CEBA54BAEB590F3DCE1530,SHA256=DB24B5895C318486FB882137884C60DF2DC0F1E2EC6BB915A85135C9147775DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685757Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:00.683{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=573A634969F7F5FD403DFB1CADFC19CE,SHA256=6EDD06372C5E94DFD6C61E929435F788A4172F18CF4FACD5C3D7D833D5115DEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625273Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:56.962{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51703-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000685759Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:01.965{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE62AAA97654BF3DC422FE7FFB2CB16,SHA256=81B62DFDD16B9DDA1E9CE780C4FF67086E80B30DCCBA43DE4D866E6008ECBAF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625277Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:01.726{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A9A15DA435D2E10B898B58EF32D5C40,SHA256=8F3C7EE42EE1BDB56B5E2C8791E02AC30CDE1A0F9C02365B1FEDFEEC7B2748E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625276Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:01.305{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2783ECDEF5C8F3EC1F130B3DDE85D63,SHA256=06252C130FCA935AEAC37E5A79929040D201951497F6884C1935FD2E488E12C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625279Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:02.888{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4D4C205447A00FE0184C12D74391405C,SHA256=C682456CEFC38D2EAB18E4F9678BA6B0A7E462A6C7F79DD7AD6EDCFCEB459947,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625278Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:02.310{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B355732300189CA6BADD611BF18202B4,SHA256=64EE33FEDAF2E4A5F922411E2E348DE70F5E9AB5C2930786BCD8B44BDDC6442E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685760Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:02.152{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6989B3E39683052B84F170E2FA48BD0,SHA256=3A22DE64BA3E4E14547418A639460F9FAA35D922D8884D40F3CA7A4BA72A94BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685763Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:03.782{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685762Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:03.235{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85FA9E759370FC6255651691ABB72DAB,SHA256=81E8B0D6424E89DCD0F8E9BD8F599E1559E2F7AA8C29D22A435BCC7C59DC486C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685761Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:03.001{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6AD57361C93A6EC1FBC2C6A3C77E397,SHA256=340528D0B38CC959AF92264382D4B3228896AF57B229CF8AD6C194E3FF66E040,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625281Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:27:59.587{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51704-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000625280Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:03.325{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6983BEDA0FB19A58E572EB449C30D168,SHA256=3809132D773D9F84DF42B3A38559C331F9645220068219B210C5C7D0F8E17968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685765Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:04.376{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5C4DA1B573597B4EC0126D28B180248,SHA256=C718FA14CD90AC7A888C6269E46316A510518F4BF96A874F2D147D628E5FC09B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685764Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:04.141{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=058300D7492C1B51748C64EB686F5855,SHA256=86003220FFFCD36B502D83B617D5F543A3CDD0A95FF545DDE64172DC7515FF1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625284Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:02.014{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51705-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625283Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:04.341{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=680E41F48EE4A8D141EEE0100FFDE348,SHA256=F812DBE05212F6408F9CC1AD2877664B52B1F14BB1DA704E77732FDAC3BC153E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625282Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:04.169{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D46D3E27A5FCF07CC386D023F8E58990,SHA256=8076FFBCC36C943BEFAC9F5FF4F3DDC09D5974C860DBF5BCEEBFB40A9FBB18DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685769Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:05.516{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BD92374AA812B9F527596357BD9BD5A,SHA256=B7EDCC02111C477D237F6E3C8DE9BFD071BDA14B0AB4E031359EB8746DCED908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685768Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:05.360{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081D3B03E115E57E5F94D90B5F103FBD,SHA256=8360876E71C3CF731931A6D757D3B13BB2704172ABF3A5C7CB655282403850BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625285Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:05.356{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50C9BC3147C3B7B2AFB57E3BB2795A4D,SHA256=6A022770F65F89E01B5C1142F6646CBEDB1DFF81D6F4F9092FB71C2C3FF1115F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685767Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:01.175{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65177-false10.0.1.12-8089- 354300x8000000000000000685766Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:00.631{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65176-false10.0.1.12-8000- 23542300x8000000000000000685771Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:06.688{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59CA2240A81EF0B583DFB47241BFDB09,SHA256=3D4511237DEE02F16C34880DB1304BA6838AD54529FD8E2800BAF5121D66FAF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685770Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:06.407{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7276C164EA6EFAA269FC0EFF760D9818,SHA256=7492EE6E12B587D5BCEFBF5D515E628712F819A1608B88C86EC52C349A0DA504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625286Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:06.358{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E049BD1E998905099EFE5F4155AD07,SHA256=49A5EC569DFF32CC63435706B2FE2E6C21E8782ADE08654EAA6FB7011AF25939,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685775Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:07.797{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE38A78CA5C1B6A8814429C81DF80BAE,SHA256=93D2B874216822C7D87CBBC99156131D9D10C47E7811443C59FF6072A3DFD869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685774Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:07.454{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E39EF29020AB3522DF15E683A0746B58,SHA256=079F1251552CD7D9F3E8A64519856D631C706A56F67126B881B2BAF5C4D011A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625287Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:07.371{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=393D3C91D5D06A592128AC1499DB718A,SHA256=39AAC15AB925AD81F921602EC7C0BD16BACD6535FFC90F7A195D7504CF73AB08,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685773Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:03.207{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local65178-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000685772Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:03.207{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local65178-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000685777Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:08.985{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4ECC66F0A9C34237181D5A87346CFBF2,SHA256=5DB141C41EA5A0EC9ECA9B08909DDAE2E3891C684D452DC1589A970A8D0B2794,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685776Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:08.469{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5039D0B8BD7106CDA675C0C2B39D3517,SHA256=0491D6F6E412D75064D0A2AC53E88910DBE173FD21E7C53F9D8CD92053FA9E5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625288Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:08.373{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F51C0490318E7119DF42451BE3BFAE5,SHA256=3F631C5D3E32DE8DC51EE376C0BC1573173B51AB30FA13D2474062F896900CE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685778Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:09.532{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE783CE14AC7267427519C59465250BB,SHA256=D362F7F29C4B1EF6DB90B94583E82E2D8A6488724F409FC02F5612A4C6028FD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625289Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:09.373{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C5611912FC88A5C0697B01F585A1AD4,SHA256=2A3F5FF2F84E5B15AE7DFABE5BDD93D940997C0B437F393E7BBB30F748C05A97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000685795Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:10.814{D419E45B-7530-60B6-1600-00000000C401}12686196C:\Windows\System32\svchost.exe{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685794Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:10.814{D419E45B-7530-60B6-1600-00000000C401}12686196C:\Windows\System32\svchost.exe{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685793Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:10.814{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000685792Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:10.767{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE9D99F4F79269FA9DC5F9D77B8B6C4,SHA256=13BDDF2E3DE51AA602DB253E166F424CA07CE6527B2612E859CBA3BB83A9EEC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625293Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:10.389{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3A1C9033E1B4434C936C6AC0B385C4,SHA256=FB10F36C6718F6F4D4ADCF916B1ED5F5897A6CFC3491E34205ADB6C8B4A30ABB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000685791Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:28:10.564{D419E45B-752F-60B6-1300-00000000C401}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3475ab5b-c30a-42e2-a4bc-b76a755b6f65}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000685790Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:28:10.564{D419E45B-752F-60B6-1300-00000000C401}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3475ab5b-c30a-42e2-a4bc-b76a755b6f65}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000685789Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:28:10.564{D419E45B-752F-60B6-1300-00000000C401}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3475ab5b-c30a-42e2-a4bc-b76a755b6f65}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000685788Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:28:10.564{D419E45B-752F-60B6-1300-00000000C401}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3475ab5b-c30a-42e2-a4bc-b76a755b6f65}\LeaseTerminatesTimeDWORD (0x60b9112a) 13241300x8000000000000000685787Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:28:10.564{D419E45B-752F-60B6-1300-00000000C401}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3475ab5b-c30a-42e2-a4bc-b76a755b6f65}\T2DWORD (0x60b90f68) 13241300x8000000000000000685786Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:28:10.564{D419E45B-752F-60B6-1300-00000000C401}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3475ab5b-c30a-42e2-a4bc-b76a755b6f65}\T1DWORD (0x60b90a22) 13241300x8000000000000000685785Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:28:10.564{D419E45B-752F-60B6-1300-00000000C401}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3475ab5b-c30a-42e2-a4bc-b76a755b6f65}\LeaseObtainedTimeDWORD (0x60b9031a) 13241300x8000000000000000685784Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:28:10.564{D419E45B-752F-60B6-1300-00000000C401}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3475ab5b-c30a-42e2-a4bc-b76a755b6f65}\LeaseDWORD (0x00000e10) 13241300x8000000000000000685783Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:28:10.564{D419E45B-752F-60B6-1300-00000000C401}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3475ab5b-c30a-42e2-a4bc-b76a755b6f65}\DhcpServer10.0.1.1 13241300x8000000000000000685782Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:28:10.564{D419E45B-752F-60B6-1300-00000000C401}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3475ab5b-c30a-42e2-a4bc-b76a755b6f65}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000685781Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:28:10.564{D419E45B-752F-60B6-1300-00000000C401}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3475ab5b-c30a-42e2-a4bc-b76a755b6f65}\DhcpIPAddress10.0.1.14 13241300x8000000000000000685780Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:28:10.564{D419E45B-752F-60B6-1300-00000000C401}616C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3475ab5b-c30a-42e2-a4bc-b76a755b6f65}\DhcpInterfaceOptionsBinary Data 23542300x8000000000000000685779Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:10.267{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEBEF3253819CE27699374966E42FE1F,SHA256=DCDC299A4DDFFF3BE04CF1A16761FB42C8A73D62CE41700E2AB1BC2CC3A162B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625292Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:07.906{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51706-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625291Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:10.076{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1EC8142B04BE145A9260A951A1C10A3,SHA256=525E179682C0D4508CAD2888D0416C5C5B9C8408673A26B6F0AF66692D4E3151,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625290Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:10.076{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13C55695CCE566D0344FE408B3DA9F05,SHA256=BABEF652F39B3E0C9A9E58A3D4162E776D8CC90E064E928375840435554D1EB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685798Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:11.796{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B1AFB5354D828F46B1F294C9E9A6109,SHA256=CC94CA013D66E7A5C5BD6C9763BB986BAF56CC44ADE1A5F84485D4949B4355F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625294Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:11.389{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=980595AFD092376BAD6C136F6485E7AB,SHA256=3578B810ACAB72801B98C521E066FD9865F41FD11EA2A3AE1D731729524E4982,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685797Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:06.534{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local65179-false10.0.1.12-8000- 23542300x8000000000000000685796Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:11.437{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1CE48477F833B3E0A28A9E8F48345C7,SHA256=0A216F01E036145C0893049621E2B8B0CACA2E3726267B95636C2B50FC238064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685819Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:12.957{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F75453B89C3E7F338131BCC1AD00A9B6,SHA256=08F016C140FD16CBD42E02A2548B841686941FB3726A942281DD91057608E867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625295Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:12.405{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4224EE3F33F7E19B5F59F59D6FEB7915,SHA256=690FB252EC172B780551E0C1FDC78DCD8E3B622F16D59FFC2B11D894627EEFB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685818Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:12.598{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F94B3230E1A6A35B1968507787185DF2,SHA256=701906112BF5C1B6096BCBD554F68274424EDCF3A62D103B867F3666DC5CB0CD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000685817Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:28:12.582{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{3475AB5B-C30A-42E2-A4BC-B76A755B6F65}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000685816Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:28:12.582{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{3475AB5B-C30A-42E2-A4BC-B76A755B6F65}\StaleAdapterDWORD (0x00000000) 13241300x8000000000000000685815Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:28:12.582{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{3475AB5B-C30A-42E2-A4BC-B76A755B6F65}\CompartmentIdDWORD (0x00000001) 13241300x8000000000000000685814Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:28:12.582{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{3475AB5B-C30A-42E2-A4BC-B76A755B6F65}\FlagsDWORD (0x00000002) 13241300x8000000000000000685813Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:28:12.582{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{3475AB5B-C30A-42E2-A4BC-B76A755B6F65}\TtlDWORD (0x000004b0) 13241300x8000000000000000685812Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:28:12.582{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{3475AB5B-C30A-42E2-A4BC-B76A755B6F65}\SentPriUpdateToIpBinary Data 13241300x8000000000000000685811Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:28:12.582{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{3475AB5B-C30A-42E2-A4BC-B76A755B6F65}\SentUpdateToIpBinary Data 13241300x8000000000000000685810Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:28:12.582{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{3475AB5B-C30A-42E2-A4BC-B76A755B6F65}\DnsServersBinary Data 13241300x8000000000000000685809Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:28:12.582{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{3475AB5B-C30A-42E2-A4BC-B76A755B6F65}\HostAddrsBinary Data 13241300x8000000000000000685808Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:28:12.582{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{3475AB5B-C30A-42E2-A4BC-B76A755B6F65}\PrimaryDomainNameattackrange.local 13241300x8000000000000000685807Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:28:12.582{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{3475AB5B-C30A-42E2-A4BC-B76A755B6F65}\AdapterDomainName(Empty) 13241300x8000000000000000685806Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:28:12.582{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{3475AB5B-C30A-42E2-A4BC-B76A755B6F65}\Hostnamewin-dc-233 10341000x8000000000000000685805Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:12.582{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x8000000000000000685804Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:28:12.582{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{3475AB5B-C30A-42E2-A4BC-B76A755B6F65}\RegisteredSinceBootDWORD (0x00000001) 354300x8000000000000000685803Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:08.224{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local65180-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000685802Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:08.224{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local65180-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000685801Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:07.983{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:98c0:9fa9:a8a:ffff-56485-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000685800Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:07.983{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local56485-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000685799Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:07.973{D419E45B-752F-60B6-1300-00000000C401}616C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-233.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.us-west-2.compute.internal67bootps 10341000x8000000000000000625323Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:13.436{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625322Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:13.436{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625321Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:13.436{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625320Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:13.436{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625319Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:13.436{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625318Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:13.436{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625317Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:13.436{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625316Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:13.436{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625315Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:13.436{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625314Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:13.436{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625313Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:13.436{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625312Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:13.436{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625311Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:13.436{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625310Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:13.436{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625309Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:13.436{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625308Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:13.436{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625307Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:13.436{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625306Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:13.436{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625305Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:13.436{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625304Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:13.436{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625303Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:13.436{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625302Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:13.436{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625301Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:13.436{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625300Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:13.436{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625299Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:13.436{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625298Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:13.436{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625297Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:13.436{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000625296Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:13.405{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73A512752221056445BC52F32BA6C255,SHA256=F8DFFEC1933F3A3C012441942FCD6F839BE5C9C244A96F5ADD554B06937D7BED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000685866Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.879{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-031D-60B9-EA52-00000000C401}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685865Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.863{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685864Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.863{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685863Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.863{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685862Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.863{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685861Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.863{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-031D-60B9-EA52-00000000C401}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000685860Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.863{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-031D-60B9-EA52-00000000C401}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000685859Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.864{D419E45B-031D-60B9-EA52-00000000C401}5256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000685858Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.848{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685857Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.848{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685856Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.848{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685855Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.848{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685854Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.848{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685853Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.848{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685852Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.848{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685851Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.848{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685850Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.848{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685849Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.848{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685848Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.848{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685847Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.848{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685846Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.848{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685845Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.848{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685844Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.848{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685843Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.848{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685842Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.848{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685841Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.848{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685840Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.848{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685839Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.848{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685838Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.848{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685837Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.848{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685836Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.848{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685835Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.848{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685834Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.848{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685833Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.848{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685832Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.848{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685831Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.848{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685830Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.848{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685829Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.848{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685828Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.363{D419E45B-031D-60B9-E952-00000000C401}65844160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685827Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.191{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-031D-60B9-E952-00000000C401}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685826Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.191{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685825Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.191{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685824Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.191{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685823Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.191{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685822Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.191{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-031D-60B9-E952-00000000C401}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000685821Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.191{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-031D-60B9-E952-00000000C401}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000685820Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:13.176{D419E45B-031D-60B9-E952-00000000C401}6584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625324Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:14.467{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD73D3CF5A4E3C1B570B69439A8ED761,SHA256=B8896418B1A8A2B08FE291CA1EB433B3DE72F586FE8D70600704BEC802C057BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685892Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:10.006{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-233.attackrange.local53domainfalse10.0.1.14win-dc-233.attackrange.local57422- 354300x8000000000000000685891Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:10.006{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-233.attackrange.local52712-false10.0.1.14win-dc-233.attackrange.local53domain 354300x8000000000000000685890Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:10.006{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-233.attackrange.local53domainfalse10.0.1.14win-dc-233.attackrange.local52712- 354300x8000000000000000685889Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:10.005{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:98c0:9fa9:a8a:ffff-52712-truea00:10e:0:0:0:0:0:0win-dc-233.attackrange.local53domain 354300x8000000000000000685888Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:10.004{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local65505-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domain 354300x8000000000000000685887Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:10.004{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local50290- 354300x8000000000000000685886Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:09.999{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local64431-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000685885Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:09.999{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local64431-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000685884Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:09.998{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-233.attackrange.local53domainfalse10.0.1.14win-dc-233.attackrange.local65505- 354300x8000000000000000685883Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:09.997{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local64430-false10.0.1.14win-dc-233.attackrange.local53domain 354300x8000000000000000685882Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:09.997{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-233.attackrange.local64430-false10.0.1.14win-dc-233.attackrange.local53domain 354300x8000000000000000685881Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:09.995{D419E45B-753F-60B6-2700-00000000C401}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-233.attackrange.local53domainfalse10.0.1.14win-dc-233.attackrange.local58887- 354300x8000000000000000685880Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:09.995{D419E45B-752F-60B6-1400-00000000C401}1100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-233.attackrange.local58887-false10.0.1.14win-dc-233.attackrange.local53domain 10341000x8000000000000000685879Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:14.535{D419E45B-031E-60B9-EB52-00000000C401}65644376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685878Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:14.379{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-031E-60B9-EB52-00000000C401}6564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685877Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:14.363{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685876Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:14.363{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685875Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:14.363{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685874Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:14.363{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685873Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:14.363{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-031E-60B9-EB52-00000000C401}6564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000685872Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:14.363{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-031E-60B9-EB52-00000000C401}6564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000685871Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:14.364{D419E45B-031E-60B9-EB52-00000000C401}6564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000685870Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:14.113{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2C0EFA72B403E3568660DF9FA60BD73,SHA256=6B15C28D6FD4DDFB4868BBB839D73010E5AE2EA54EAC9432360A33B84FA661D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685869Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:14.098{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD80421B1116509DB344FF1EABBBAA28,SHA256=5379A24C85D8D5308AAE427E89A660298570865F17D85614D5B7470D7D19E1EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685868Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:14.098{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6AEBFF259EE658D48AE8CCE9EA50A10,SHA256=193FCAC39D66B1873BB3DE136D4F8D0935C790FF8C4ACF87036B07933E32F621,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000685867Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:14.082{D419E45B-031D-60B9-EA52-00000000C401}52566528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000625325Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:15.467{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9159270166581BC4DF9BB2DEBCE6221,SHA256=4611FCB2AEF3970302E8BAF3727754329C1E92DD94E4A876705BE317D3E1A543,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000685911Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:15.707{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-031F-60B9-ED52-00000000C401}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685910Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:15.707{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685909Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:15.707{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685908Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:15.707{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685907Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:15.707{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685906Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:15.707{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-031F-60B9-ED52-00000000C401}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000685905Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:15.707{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-031F-60B9-ED52-00000000C401}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000685904Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:15.708{D419E45B-031F-60B9-ED52-00000000C401}4296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000685903Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:15.332{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07D2D92763F5558AE7DF7EFFC1684C90,SHA256=305BABAB6DCF53CFEAD326405892B0ADFAB8B5C8D55884804E9AC00F22F3D87C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685902Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:15.332{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC4171DD9E42C03E1A1DA0DEECEB424D,SHA256=DCE081E1CE3481A4A8F7CF8CAD0B386176B7B0B3250AF6FADAF7D4349D86A299,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000685901Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:15.191{D419E45B-031F-60B9-EC52-00000000C401}68321876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685900Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:15.035{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-031F-60B9-EC52-00000000C401}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685899Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:15.035{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685898Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:15.035{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685897Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:15.035{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685896Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:15.035{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685895Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:15.035{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-031F-60B9-EC52-00000000C401}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000685894Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:15.035{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-031F-60B9-EC52-00000000C401}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000685893Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:15.036{D419E45B-031F-60B9-EC52-00000000C401}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625328Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:16.483{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22933AA08E0B11C906E63F23C5514417,SHA256=DD8F21B7180ADB21996F28B6E23A1AA4CD98CCED91829837DD6A0D3116626D13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000685940Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:16.879{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-0320-60B9-EF52-00000000C401}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685939Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:16.879{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685938Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:16.879{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685937Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:16.879{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685936Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:16.879{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685935Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:16.879{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-0320-60B9-EF52-00000000C401}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000685934Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:16.879{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-0320-60B9-EF52-00000000C401}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000685933Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:16.880{D419E45B-0320-60B9-EF52-00000000C401}2488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000685932Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:12.475{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64432-false10.0.1.12-8000- 13241300x8000000000000000685931Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:28:16.691{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000685930Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:28:16.691{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x09fa844c) 13241300x8000000000000000685929Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:28:16.691{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7588d-0x12d17486) 13241300x8000000000000000685928Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:28:16.691{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d75895-0x7495dc86) 13241300x8000000000000000685927Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:28:16.691{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7589d-0xd65a4486) 13241300x8000000000000000685926Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:28:16.691{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000685925Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:28:16.691{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x09fa844c) 13241300x8000000000000000685924Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:28:16.691{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7588d-0x12d17486) 13241300x8000000000000000685923Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:28:16.691{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d75895-0x7495dc86) 13241300x8000000000000000685922Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:28:16.691{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7589d-0xd65a4486) 23542300x8000000000000000685921Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:16.473{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=853BAE1026E3390BB5C8730112CCE899,SHA256=E731B4DD7C1532B957A2DAEB5E6545C7804BD7DABDE45B6118FA16C4553A11AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685920Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:16.473{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B70138C33E9B2861D15B97264E44C388,SHA256=E2873A999470259AEBE66405409FF4A8F6F18B936E2B4E4D3D2FD48EE97D66B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000685919Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:16.394{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-0320-60B9-EE52-00000000C401}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685918Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:16.379{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685917Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:16.379{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685916Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:16.379{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685915Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:16.379{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685914Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:16.379{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-0320-60B9-EE52-00000000C401}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000685913Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:16.379{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-0320-60B9-EE52-00000000C401}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000685912Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:16.380{D419E45B-0320-60B9-EE52-00000000C401}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625327Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:16.061{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00B9A86FD5024AEF8FA1C647C2899B67,SHA256=2B675CAD69DB8D9DCC0F68ED56334FD89C27BAF3F140AA7945BC3C467DFAA979,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625326Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:16.061{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1EC8142B04BE145A9260A951A1C10A3,SHA256=525E179682C0D4508CAD2888D0416C5C5B9C8408673A26B6F0AF66692D4E3151,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685942Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:17.629{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7AFE1B70ED4B3B486EC58283DAB18FAE,SHA256=414EA436E616A6FC9971C0F1B9333BCE253C39E6B9514C00A78BA399B435428C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685941Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:17.629{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A95E100BD85E8865A798B3E1C3FA40D,SHA256=5EC39CDA0C29FA2EB73B099AC0013EADA8483279208E796B303494B0AD44DCC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625330Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:13.906{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51707-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625329Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:17.498{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89876F038148D32AF6F97CDE7DF0D959,SHA256=BF1EF94FF9F1932D96DE91A711676221BD7BD1CD38935BCF0C01D284163E9271,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685943Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:18.863{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D70C8DDD63279F4ACF2009E04CC7C8C,SHA256=13F9A43E79E7D0DE67094A3B2FEC6056DB0BE609C2D32A30E77D9C03A7B40A9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625331Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:18.498{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0126847E9FD26C8170C24CB150520953,SHA256=4E0D36B76F589F2FA0A0FBEA2655ED169982643D23C2C5B5A8F2D64BD55BB810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685945Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:19.957{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA960CD7A99CCD36D7A7082BF167C210,SHA256=662FE3DC01497E5109CBC072E61F992FB039FC86165DE5F6F6C9738F295EAB3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625332Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:19.498{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0B3BB50E4FAC7B3709290CE077F9F5C,SHA256=A6DBF26DF9398D5956FA4AEE6C2A0B7A4638E6357B2819EB3D4C5B0F0883EB9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685944Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:19.285{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DEF569E3C3128B51D7DEB767321C91C,SHA256=6EDA4D39E2C3BD3861ECF9DBDD8B2E5E2489E35EC94768F69BFD59DABC859303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685947Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:20.973{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6D6A99E69FCA560A5E385FEFA9739B9,SHA256=8407A91556D1551B745CD2DC8A416ED6E83F567214B82269D7AECCC12ACEFD0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625333Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:20.498{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA0EC7766056ACFF05BBE0177246C267,SHA256=1C74E1AF69F9FCEE247B15CCF10CF8D4B29B047ABD57243F1349E8A65F29B2E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685946Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:20.426{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BB42D39A5E29E68F03B40EDCB1DE2FD,SHA256=3A5EE1386CD30FF41CABEF3B0D08BC5750F26D82A9C909DD6542D8F21E20A9EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625337Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:19.094{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51708-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625336Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:21.514{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E3F0012B9B51FA1F74C2C8EF518001F,SHA256=AE872F44E76E0F95E0ABEECC20AAB55A5661CE0E6B38AAC169D18B53F16032F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685949Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:17.522{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64433-false10.0.1.12-8000- 23542300x8000000000000000685948Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:21.676{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89494DB547F05C7E9C48C5D3BFFF2B16,SHA256=ECF646A8DB56CDC9E7DB6C61B8464E5884E3F87656B623CB6B58C08495DEE381,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625335Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:21.452{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C754BC7B966745E1DDF9EC4CF2B590D4,SHA256=71BB3DA898019D5AB08693EF3132ABB36D8B45AF1E05ABE1CFD93B608FD7A4CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625334Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:21.452{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00B9A86FD5024AEF8FA1C647C2899B67,SHA256=2B675CAD69DB8D9DCC0F68ED56334FD89C27BAF3F140AA7945BC3C467DFAA979,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625338Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:22.526{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37ECE84399E8E2FE40A11E05539E6BD4,SHA256=85EC5C4086045B1AE675289EBDBB0B123A41FEF15C0E63C7327CDFA4C854E68C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685951Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:22.655{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41F0CA23BD4CB86AF84F278C637D070A,SHA256=D2DAC79E8FBA917F15FDFF8EF108ACB0070A9A07608F7D0E4154707859D5185B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685950Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:22.004{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51EFDDC43E2822FF448F6082E95ACCB8,SHA256=30D062D8A2C5BAB63216C616F6E3A58957992DA27B9F1A9401DB0F8B7ED7D081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625339Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:23.526{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F53B99C6373D9737320DD7201B9B37B3,SHA256=93F4589008F9055AE4C36AE73CFC99CFFFFB74E66201A2F24C69E016C35CE8F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685953Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:23.686{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E9E6916A0AD14F398057BCC2E8CC14EF,SHA256=37EF5D6D800BBC5B0C96B2F4654E2A6D78A1DC03CFFCCA99E7E873B04D24B407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685952Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:23.077{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39F001D5500BCC8D4CF7147D8EA8CE9E,SHA256=E54FD739B5079029173F2BD4616BEDCE71867322546FC90D6D85DC54A10A1633,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625340Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:24.526{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01CB6E443368D5417FE99AA569C6BD37,SHA256=5000E751FD821161B71870C3DC34139F92397C3714177302A2D8AF194C510E67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685955Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:24.952{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D07C24548B8A2302117ADC96F72AE7A1,SHA256=1F2A33265D16E55322CA6384A1F9C0A66A06AC4E10F9F0C092F0CEE5AFD394E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685954Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:24.092{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1336AB58758339DAB1A8885AFC56442,SHA256=F5A6934DD67613C09552EF89AFE9E9628FB2A23C7A42374ACF529FE8369AFC48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625341Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:25.542{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=608D6B85C39EF23286FC99041EA334F4,SHA256=34ED31A42D68EB478F5510F42AD42F21B36BD8AAFD500B3CDD18DF611774ADA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685956Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:25.124{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0498E116E7D8AD902B88E59A36F682D2,SHA256=9667DB9CEBE5E78CAC5DFF68C971320A965E85676D05AA15E86B031710CC2D8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625345Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:24.121{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51709-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625344Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:26.542{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=078780768F2A008501B70B24AC900FC6,SHA256=CF8A79052A28677ECE2F3315E309C552C39A53A9BFE596115224D412BF33CBDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685958Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:26.280{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=036DC88231461C59DF197B73A9B44D49,SHA256=EE3354A24E8280E8BA519205E175F423D4E6326ECD45848B8B7BD8097C7AA2FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685957Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:26.139{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A397AD2872395DB4CD3068EE4DBE1516,SHA256=152DF1E3B945E062998A2B0145B175D699FE5F60EB9AD06076E7C79E3EB199AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625343Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:26.479{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75F04C4A61051576709EBC5CC4E75C5D,SHA256=56B144F62C343FB958D9381BAE7E610BEAA7164184A96650FA43DA1C634239A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625342Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:26.479{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C754BC7B966745E1DDF9EC4CF2B590D4,SHA256=71BB3DA898019D5AB08693EF3132ABB36D8B45AF1E05ABE1CFD93B608FD7A4CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625346Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:27.557{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E715EC44BFB7ABDE34D299B0E5A7194,SHA256=3174159A673A1CEAFB60630A2EF3934E24F4CF76E84B0D128BCC245104855F14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685960Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:27.436{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4A1C8E4853BE41758B638575EEA9C54,SHA256=887F5F2642B1AE916B2741963550E4214DD1033FE0D43946ECEA8DC8EE595E68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685959Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:27.155{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE4EBACF58BB162D81B9DA33394DFD97,SHA256=83BF8CDD243AFF2EE9953C4A2CE40FAB421BD4ABE4447E30CE9CF00F76AD132B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625347Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:28.573{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B51849BB2EF5C3CF15FD2025FFC9366A,SHA256=8DA948BAE543AE35119C55E29CC4DA57AA1FC58B3382EC6C4407277986857F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685963Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:28.561{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E5F75E0BEC89E61CFAC2E75BB913C5B,SHA256=6E96DAFF3BD705A9943F10BE28BF0A2EE8323C95CC1278B41A370F92187796EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685962Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:28.202{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62CBCC93AAC10FED1CE923897D70F223,SHA256=46B754FE3C2F48A5241F2EC2D5027DE06EB93CBC9734CA4FBE568D23601AAE1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685961Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:23.454{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64434-false10.0.1.12-8000- 23542300x8000000000000000625349Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:29.573{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4866404DF0ABA0032F5A64735A4E1A94,SHA256=B32B1A41528CF402AD0FBD005EDE3304BD418067D9701FA4782EF4A7CCCBC6E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685965Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:29.922{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1ABB8D97561AD0235BFF90F5105D95F,SHA256=183945F575A126F6FC52A61866AF2ABDFB91EF1E39B8264E0014A7E6755A7FBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685964Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:29.219{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EEB0FB03D4FC691240FB9926E50A4CA,SHA256=13242012A2AE13692F13B1D66BF45BAAC444E300B530449EEBADBDD525E42BC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625348Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:29.417{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF9f2dfe0.TMPMD5=50C3F57E9B17DAD0DB73AD4F64FDB6ED,SHA256=86D53DA9ECE564538A00B5F8E963CD8B3B67CB52F8A489C6BC9DE193528D6A7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625352Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:30.792{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A09BE1E7A2A039A62029E0F44AEC71D6,SHA256=49C6C20C0098CF87532CCBA1D4C67AC3EDE3E4A748DE30C1A01BE9F5DE6F0311,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625351Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:30.792{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=41B0927B0BE24558936965A2FBB146DC,SHA256=9200F820529E9AD1BB287EFAA2682244CD911131BFE7F6BAB7C5129D297F13DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625350Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:30.573{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=369596E7B12305E8C97E61277424F915,SHA256=D6BA4DE403B090A1546B8DCF5FD16A451F1DB3C07E320C9EB0062E397E1374C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685967Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:30.953{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C636527F4A78C0C29822FC0CC2D8D29,SHA256=4F70FA156474A873B0AB26FA0EE1D2D29B5ADD125015A7A43C0E55FCD69116F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685966Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:30.235{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF712A50A8EEBF141147E39AD1DE6682,SHA256=70288D230B4653B5220FA60D537DEA1BECDC333FF4CB14BF2502B42B769B610D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625353Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:31.589{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB3ED011D772ED8D8EFD821A2326041D,SHA256=88B810AD8CB76BF5DC8334CF66334CB2F1350C191B92F2761CAC3169299B2C2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685968Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:31.235{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42DA02362CED5FDA7CE9615B11144235,SHA256=CBB3E5FA1D73E9277C41436EB4D9E55654D3B98D67EEE4805F65D7B659AE4662,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625357Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:29.950{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51710-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625356Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:32.620{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AD4C1361D3C8B1329C1FDD9BC81C38C,SHA256=52403BA4CC10C9488FB1CAF524A5FB5F9E850F3DC9E0CADF7B17A1E648DB3019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685971Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:32.813{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BBC4BA75EAC55E678299C989A43E0209,SHA256=881F50B96CF65694C03F604D98CADFDA5021DD28B82C73FC5B379155BC7FC251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685970Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:32.360{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F35567A2C8F634B7E026466387047B6,SHA256=E6380E4D5FFC87CF756841F4C282F34DBD26C637A84506A2D030C55B02B14A4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685969Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:32.250{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30604CEB7712BF6261489F76C8235E89,SHA256=A10DF8ABB39FB6D96A8E243F830AF7E695DF056C99E94A019F2884BBCA379D14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625355Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:32.120{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F23A8B30CE2606C454D1F4A75E3BA840,SHA256=F6CA36FB805B8C1C6E44DBB2EC4737948DA1FD1A9864BCB732CB6DA3DCD1E3EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625354Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:32.120{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75F04C4A61051576709EBC5CC4E75C5D,SHA256=56B144F62C343FB958D9381BAE7E610BEAA7164184A96650FA43DA1C634239A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625358Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:33.620{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0BEF15B789501B4E4E22C9DA75855D2,SHA256=51BB27D2A4A2DC828641B4B43EF7F14DAC47A92DBD5DEAE6E6272E3B4DEC8356,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685974Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:33.578{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38D26D91F91C46215A18497C8F45334F,SHA256=9066BDBB1CB42F219C0AE5C2060A8E5956E3AAD4B45D34F0F1BA2E8A6286115D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685973Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:33.266{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F9B9706F103A37B26861F844C3BA340,SHA256=0600D104866035106D84FB7480A4EF547A8BF1547B912BDEF5A0BC7920743B5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685972Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:28.537{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64435-false10.0.1.12-8000- 23542300x8000000000000000625359Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:34.620{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB6843DD09692A96533DFA6231AA3832,SHA256=7EA68F07248C0FE877E41D3403F57A6AE9D41154A2BD5F9CD6F6720C5F0110A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685976Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:34.719{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=364354DE77DE6331C7E5E094D5D690AC,SHA256=E62CD2B072A68BD1061A73D72BE32A22AE7020F66510538988FC589F470BFAD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685975Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:34.360{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87F00D0A66636B33A475596CE247AF20,SHA256=936928389C11A75CEBE45EAAF0D49F8B49F1BE42E43C3C4A9E49BF9EC68834E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625360Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:35.620{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2348B6BA6C91DC4BF3E4DFDA8CF2E3CC,SHA256=6106C0938CB6ED13238F17E0E80264067D74A817774E575CC584A88D098B649A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685978Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:35.875{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0633C95E9CAB85584D1A183D6E540903,SHA256=3FF4BFA6C3D905772914F94FC55720740DB7E52919172979D5DCA8D5DC955379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685977Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:35.406{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=683D4995535E1A039AEDF2C63B498050,SHA256=464CC07BE2FF688B35B76B079635F483059F6CCA5382BE60A95EEC9F3F7722AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625361Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:36.636{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FBFA08FCCF32F0C5CFF080D53CE7A5F,SHA256=A053E5AF99229AD7475B1A75AA02DCA9671DA1B3437A3F8353AD866BE01F0BAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685979Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:36.422{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71926703EFC7698D7427DC9B761CF53B,SHA256=BB4FED1EC62EB39D3FAEA1D00C545E1A7D83BCAD6EA87344975835AB58136B70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625364Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:37.651{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0670ADA00827B268A55CE4E5E54FD358,SHA256=1478FFC93DAF0F137D1FEA821FCFE37EE6BEB886CEBAD0F5A017CE46AE0A246A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685981Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:37.438{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAAD7A6A8195A26BB5B6F9AACAA49809,SHA256=E740457C0ED400F8C8F8FBFA51B5D77C92D0488DA906AF38BEC5AB419A8E5F7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625363Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:37.245{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C26AB6230B6364DFFF3ADE293F37B73,SHA256=1FEA29747931EF70A452478EEC0960EFBC52B6625F3955C1C9F64E2C8E746E01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625362Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:37.245{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F23A8B30CE2606C454D1F4A75E3BA840,SHA256=F6CA36FB805B8C1C6E44DBB2EC4737948DA1FD1A9864BCB732CB6DA3DCD1E3EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685980Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:37.125{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E4EF5D042E5373882586256D0E456BC,SHA256=11FA4F577B467200C9B20225A3A245F2F50C900B2C6AA943C1835100C964C8E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625366Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:35.106{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51711-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625365Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:38.714{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3C495AF5272726D0BF7FD7090B1A481,SHA256=0D68D4C5B581D428D2EAAF59934666906F73EF549D6A146626CD39F9255C9D25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685984Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:38.594{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F49E19F39143C7E5BE47E283D17E08C,SHA256=EDF12FDE35F66DDFB7A4196284206889CF09E41571AB6A4E868F4C451432F766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685983Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:38.547{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EED3EE087C9B055462AC1F86D3304BE3,SHA256=D7C798D25824BC4B1E453D33B10D4271F0E622B8F1473F85A9B1B0034D125D4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685982Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:34.502{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64436-false10.0.1.12-8000- 23542300x8000000000000000685986Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:39.672{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5439E37997B43E3E7682125D6CDAB03,SHA256=84C0390BFED70ED13A96BD947E42A537512EDF66E160543B60D74EBEA5A8C9AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685985Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:39.625{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE57EA047E10085ECA5B5D90B3B4461,SHA256=606C7D488EE4BC2DADECB5323DAB73C9D209A4F465F099535E33BFC8701CC396,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625367Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:39.745{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28EB2EC25ED57209570A7958D22E5601,SHA256=7D5D7631376B2C3E8C846B539C84B385D24649D30C1347878DDF811C523DF8C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685988Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:40.938{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53B23D313CB8D92B1C925C7111C3EB70,SHA256=B3771300A729786596A92114746061BCBB866970A917990297B73F8B6763C529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685987Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:40.656{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D8EE23E6D67BCC38F3677D3DCC2CBD8,SHA256=E118A5DCF184343D55ADC2C50D8CFD2A5DF70F75BFA031D0223B39DC1F757334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625368Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:40.761{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C992BADF4A7654FED4BC452E446206D3,SHA256=6A6D58C6182BAE8A167A39FB81BB726C75D555E4AF94F6E2C6D343A0EBD129A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625369Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:41.792{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72EDF131C82D0DE1949F1BBD50E6516F,SHA256=6C8C39D85BF8AEE37609BDECBD20E60BE532EECBB99D5355BEB8BBB6BBBCC374,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685989Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:41.750{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0E06752C1798AC582B7F50D42D5F6EE,SHA256=5DEE2778FCF6B6E399935B688041BB891C06DA73EFD683FB1E0F730BD978A24F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685991Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:42.779{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2419A3328C65B8DF29C54F89677B174C,SHA256=AEA1FBEFF750BB64E0788B648B019977A6844629CDC906F6725157248F4873A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625370Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:42.807{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E45785B4941A598D7251D583656ECC54,SHA256=226349F5A42ECAAACED15B9DAA721C1CD585CB43125B7A9D011F41EC43F83DE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685990Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:42.047{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A5A9B2197852095380CCC8E24C56812,SHA256=17DD4A2EB45A3AF258754A00DB039E1B17B357BE2BD3D1FBB385C123D6B50196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625373Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:43.807{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD72060002B7EB1FF8C6D0A8A9BA6383,SHA256=83B6A656EC274F9EE73D3244150829216453884D347FD37339636851FBAB92A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685992Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:43.201{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C623E16320D6FA73587174DBCB7C70C,SHA256=D2C366574040E5E6A0C67E275FCF905D9301B81807B12FAF628DDABD00C55B02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625372Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:43.182{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=331BD95798E428CC1D40FB7200A9B664,SHA256=857834C50EDF3B23B7B2681D8952A186F903CDC4F86710E61B23B869771BC97B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625371Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:43.182{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C26AB6230B6364DFFF3ADE293F37B73,SHA256=1FEA29747931EF70A452478EEC0960EFBC52B6625F3955C1C9F64E2C8E746E01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625375Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:44.838{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25498A47B4217DEAF5CC54A8AA568760,SHA256=77A6D83740679ACEC7F10B4C907A95F151C1DA735F9150212D6B46E571319679,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000685995Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:40.516{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64437-false10.0.1.12-8000- 23542300x8000000000000000685994Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:44.435{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF56DFAEC1C7EC2EF33736D6733585D7,SHA256=1B2714AB281910DE9A0FCC96B17CFC37FB6C64BB8D004ADFBA7665CE974ADE2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685993Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:44.013{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=928F1EF03191975274040A6F715EC402,SHA256=D6F0DF409324D8096FF4F5875223D1911036B5CEF9A10A987B19C7333744E9D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625374Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:41.012{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51712-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625376Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:45.838{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=271C266FF2B68B2EFE05E219C6C5A8AE,SHA256=69DC8B3D1D4F80E3BE452F5834E72CFD404CCDA2FB7E8241E985120C23AE5972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685997Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:45.669{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7964E2AC82C6C2854D2D37EAC8996BA2,SHA256=CEC501E86164A8E06E81B71AA9337B525ECF9961700F17C105049DB63E4D33D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000685996Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:45.029{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D75E8FEB20C592F341B363DD373EA64,SHA256=B30AD6A0618344A180A5FFA63A65D51FCC5CC623F56B6C7817CC02424CE90076,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625377Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:46.869{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F7B9E7083B983D56EC9343B7FC1057B,SHA256=2CABF1F9D6D28010F777F0B92F270AC07540EA60A538D62A1BEB7385A21908A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686002Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:46.951{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA095F38CD05EA9DCE23483AC94D0979,SHA256=B8303591F5898F12E870DD2566391CACC7A55D00258602FAD0B72C793AD53FCB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686001Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:46.873{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1500-00000000C401}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686000Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:46.873{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1500-00000000C401}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685999Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:46.873{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-752F-60B6-1500-00000000C401}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000685998Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:46.060{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9E386E427E5F29C1645CB93E87389A1,SHA256=AFBA8334531090FC72152CD8269F27E7FD59A5E40D4837BF1EE059409978F817,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625386Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:47.869{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AB4305B6454DF356637F4DF392C27DA,SHA256=D24E2480B44FE296A75AC968DBCECECB4F0452E99D89576DB62B600281F1135C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686003Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:47.091{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7597AAC9AF2126D08E0F18794437A3C,SHA256=919E97C3F72926C6B60C169529D9E88B32D82555BA28ADC753A8001D4AC948F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000625385Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:47.713{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-033F-60B9-555D-00000000C501}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625384Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:47.713{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625383Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:47.713{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625382Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:47.713{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625381Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:47.713{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625380Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:47.713{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-033F-60B9-555D-00000000C501}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625379Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:47.713{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-033F-60B9-555D-00000000C501}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625378Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:47.713{97C2ED32-033F-60B9-555D-00000000C501}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625401Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:48.932{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F5963738D6CDBE092BAD632A7CBB001,SHA256=FD33B8D4FEA1433BD8CB4ACF82E78A8F2B772295FA19F745B7D11853088CFF22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625400Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:48.932{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=331BD95798E428CC1D40FB7200A9B664,SHA256=857834C50EDF3B23B7B2681D8952A186F903CDC4F86710E61B23B869771BC97B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625399Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:48.869{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35E5110B0A2D61EDA7C8E9F8DCAC6E70,SHA256=210A55DC134F274BE325A6ED605440C243965AAF96F4AD544121A322DA643E03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686005Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:48.310{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D55392D587D20F7A7EC48BC6611938C,SHA256=45177A805FA660E38530BC0C0B1D4F853470775083E959615C24CBF417113B6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686004Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:48.107{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=810C605F4C8AD8D5A599B72359B15C5A,SHA256=4142AA679CE51CB03C4186AABC1AB6E4BBFC8ADB34D59A765E489E61D74415D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000625398Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:48.525{97C2ED32-0340-60B9-565D-00000000C501}4636744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625397Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:48.525{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1500-00000000C501}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625396Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:48.525{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1500-00000000C501}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625395Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:48.525{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1500-00000000C501}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625394Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:48.385{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0340-60B9-565D-00000000C501}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625393Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:48.385{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625392Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:48.385{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625391Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:48.385{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625390Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:48.385{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625389Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:48.385{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-0340-60B9-565D-00000000C501}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625388Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:48.385{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0340-60B9-565D-00000000C501}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625387Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:48.385{97C2ED32-0340-60B9-565D-00000000C501}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625419Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:49.885{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9879C0DABD66FD23C0D89908FE637C0,SHA256=E16DB6E9E0D923AD6542081A0726EEC89085DD6ECF7EC0A9DD03840862AA8479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686007Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:49.435{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90DE8C9660682686DBD25E621C72FFF3,SHA256=42E515B88A5D09389EE85D038145CC51D39A2563B26A4210DD90E8CC1F0FCD28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686006Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:49.123{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95EEE9344FD4B1322EA286804470ADCD,SHA256=5582268A0AB52BA06BF26D6EBB21BB12904124DC67EDF9B01938B14B1A7BE254,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000625418Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:49.682{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0341-60B9-585D-00000000C501}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625417Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:49.682{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625416Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:49.682{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625415Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:49.682{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625414Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:49.682{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625413Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:49.682{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-0341-60B9-585D-00000000C501}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625412Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:49.682{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0341-60B9-585D-00000000C501}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625411Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:49.682{97C2ED32-0341-60B9-585D-00000000C501}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000625410Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:49.135{97C2ED32-0341-60B9-575D-00000000C501}45002216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625409Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:49.010{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0341-60B9-575D-00000000C501}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625408Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:49.010{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625407Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:49.010{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625406Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:49.010{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625405Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:49.010{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625404Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:49.010{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-0341-60B9-575D-00000000C501}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625403Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:49.010{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0341-60B9-575D-00000000C501}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625402Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:49.011{97C2ED32-0341-60B9-575D-00000000C501}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625430Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:50.885{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD6153F99D37852F85B2CE6770E89341,SHA256=FAFB3391CC7CA72DEBFA62E2E293CE59FAFD1A77FDCE3422938FDB185E36FC7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000625429Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:50.354{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0342-60B9-595D-00000000C501}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625428Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:50.354{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-0342-60B9-595D-00000000C501}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625427Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:50.354{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625426Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:50.354{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625425Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:50.354{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625424Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:50.354{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625423Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:50.354{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0342-60B9-595D-00000000C501}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625422Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:50.354{97C2ED32-0342-60B9-595D-00000000C501}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000625421Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:46.918{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51713-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625420Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:50.025{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F5963738D6CDBE092BAD632A7CBB001,SHA256=FD33B8D4FEA1433BD8CB4ACF82E78A8F2B772295FA19F745B7D11853088CFF22,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686010Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:46.531{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64438-false10.0.1.12-8000- 23542300x8000000000000000686009Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:50.560{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B8E12D097B574B988C000D8BE351F19,SHA256=6F5715AF07177F476FA2EAB3EFB09FAEC2F401B6FE44ECDBA225F657BA91118B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686008Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:50.123{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14A670C07E32067C5F3FE5E9B5DC7332,SHA256=4D5F082E26316A30C5E8A0D1E80467FCC9BE5FC0DF03871B9C8FA19342B8FE85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625450Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:51.900{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=461AA21E426EDF0D2DB0551F5C847604,SHA256=D6E26200A3E6C92CCE3FDD7C5C34D4D924051D9D2606B8582E90BC97514D5994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686012Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:51.826{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F49B74E4C6807B605391073200744B7E,SHA256=0A1C37ED081B57B7EBB6D8D53F0DED1E8EC63ED4066B51B9C61D87EC86646FA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686011Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:51.138{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE5D62F0C220677D481E5BACD6AD285,SHA256=C12E256888E7D2CF3351BBABC9F86888E9041596AF45CCCED152FEEDFDE9DC2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000625449Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:51.838{97C2ED32-0343-60B9-5B5D-00000000C501}14684924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625448Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:51.697{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0343-60B9-5B5D-00000000C501}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625447Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:51.697{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625446Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:51.697{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625445Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:51.697{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625444Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:51.697{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625443Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:51.697{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-0343-60B9-5B5D-00000000C501}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625442Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:51.697{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0343-60B9-5B5D-00000000C501}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625441Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:51.698{97C2ED32-0343-60B9-5B5D-00000000C501}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625440Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:51.385{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23C85429EC3D7F624499EBA8644E2A1B,SHA256=F36AEF2C571CBEE2712899C36BC4409B46451A79F8E4A9AF4A8A56930995030F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000625439Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:51.166{97C2ED32-0343-60B9-5A5D-00000000C501}61004424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625438Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:51.025{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-0343-60B9-5A5D-00000000C501}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625437Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:51.025{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625436Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:51.025{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625435Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:51.025{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625434Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:51.025{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625433Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:51.025{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-0343-60B9-5A5D-00000000C501}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625432Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:51.025{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-0343-60B9-5A5D-00000000C501}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625431Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:51.026{97C2ED32-0343-60B9-5A5D-00000000C501}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625452Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:52.916{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95C9BDDE22D0D1E21AF02D26C96DB9C3,SHA256=1C61B0BABCDCF6A31D84BD8286D459F9F7BB74521CBF106C6E769F0CAE4ABCE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686013Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:52.154{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FB18FD4B504776BB3A2BD27D65A0A6F,SHA256=E8AC87CD371F583AB67B345B86FF658F0686808BB1E9B03A367534F7D1557962,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625451Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:52.713{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAF2498FFF63EABFF9F0432ED660CBE5,SHA256=7C0B6B33A3F7B594D24D8971B86412461066A010B6CACD2CAA413E4A5C307F90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625453Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:53.932{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=119A56916CD41FCAA63708DD7839B800,SHA256=3830E75563B8EFB9F48AEA86B44DCE053446560DDBE203874799DDDBA86C251B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686015Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:53.341{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C277CE549EBBFC5E165F6BD89F30276,SHA256=278BF599BB51B96F20F96FAAC91E84702884570D02ACBC094B20A2BE1210DDC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686014Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:53.170{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65EED0F3C4C8D3FC1FD0E130F46BB6D1,SHA256=AFF9392F568B84314CF3B702637291C2AA1D5BC56245C510F8BCAE5B9249A258,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625455Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:54.978{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61823BBAC414986097EEB03F96E456BF,SHA256=51401F9619AA034BD40EFAA934E8F1C64A9C4368730A6CB945AEB0071889E7AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686017Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:54.466{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=804533526D5461E3140CF39A9DC1A0C5,SHA256=3533C7CDFEF872E77B7242D79255073729DCA872E8FD7FCDCD81E7FCC5B81279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686016Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:54.201{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77BAFC070C8DAF0C482B14D69C955EF8,SHA256=8B7C1E0CAF62B1C1E3329CCBBA2C0A60164615A9BE8796DE4F57123D6897B9E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625454Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:54.088{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D86B1E1CB98E261E3BA60817C11DAFC4,SHA256=3585DDBC22EAD38F98499B81D33EA2DA14722C87EEEC4810B5D8112297D749E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625457Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:55.994{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61C9C78EE19BBE7364E21F003F8A76DD,SHA256=BF15729D0C2F40D1F3FB980BC7E53F6F78A8ADCA1AE5EC6344906BD7A26CCDB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686019Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:55.638{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FF8D5ACFDCD62A7B0B885619B3A0520,SHA256=6200641F85D93B25263DE976BC19A662E81659B57F833EF61921E3A61EB59D91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686018Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:55.248{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8288FACCCE9499BC320A09FC000B3CB,SHA256=D6453CC55DBCA878AEC237A7C4B4E28A75762C85526363952212F0D2A39E3A67,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625456Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:51.949{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51714-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000686022Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:56.763{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29B16B18C248E3DCA6A626A4F539758D,SHA256=87CFB8608C9D37B2B02A3805C8B5F8483ED2A2EFCCED90F5344C57F1DB72780A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686021Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:52.453{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64439-false10.0.1.12-8000- 23542300x8000000000000000686020Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:56.295{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF62C3BB152081D8E992DFB470E4E5CC,SHA256=11A914CEB3CF6A7EEB00931DDF0E11BE8DAFDE0A17E9E5B0CA5DB51A34BD4857,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686023Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:57.373{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F2FB5916A51183BAA23A6442F570DCC,SHA256=56D79AAE1B53F47CE9B0C4E7990D0233710EAE698835B4F635A3B90CB8A1EEFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625458Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:57.041{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DFA2DC51FF1D6995D4FDCD861FD2B23,SHA256=BC9BC615F06A962D0F3142369D4ED4172EEF21499803DEC1E35A19C208F706B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686025Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:58.388{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D4C5857F7082484F350BFC97EFB8AE9,SHA256=5081A83FA5F297B8AF9586D59E7D1F1016AD6D9FD55D45CFBAA5AA56E750B917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625459Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:58.103{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA9F2EC0644C1EF6BF62B9C06BC0A46E,SHA256=0A2DDF3F0D6F0E17740C709AC4FEA489645DC7DD7193046ABF514A014D635C4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686024Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:57.998{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09ED3B5456E199EE52E92EA0ED08DF26,SHA256=A46E175EF31F61CB14956349288230689F2210112DFEEB4C676F0BE889FE3A62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686027Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:59.404{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2613C99A5BEAE2CDCCB1F5ED423AB50,SHA256=B96B842449F6E9ABFF6BC85FCB5FA1B0596997FEDE63800E0020243E82E6B93F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625463Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:57.027{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51715-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625462Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:59.228{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A73E5FE70C1CDB69B4FE502271DC26C,SHA256=57E09C3C07E91C1DFD3E61932275E4406B9AAC4EB1A4359F92B8B1FBEDDBC189,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625461Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:59.228{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=927B94F5ACED9A7817588936D42D2257,SHA256=3B5B27C6858898085571F2B9C8169149DCEE9C307F676A34FD0620744DC9B965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625460Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:59.197{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9B22CF388E2C011914AA11E4D3509D4,SHA256=7AE155AD441A77BBBC869CFCAD3DBA004F0ECA15991891789AF9D04C92CAF907,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686026Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:59.263{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49D355ED39CE75ED3956145E5FC5DEC7,SHA256=AD4CCE36A4619326B3EF4CABDCCD4C731ED89D8A5D78002A5B15BAADA2DBFFF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686029Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:00.716{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D8B03D74EE897628409CF1C5D445693,SHA256=55452B13EDBCF79E83A51BFF9182B798F152C9A9EBC23CCA8B08E9858E0BD945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686028Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:00.420{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F9F01A8ED6AC93F9FA3F64220ECFF0F,SHA256=AF299992CA11F0868B0D4F3A25837F138D715FBB84658ABD8ECA17202035C910,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625465Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:00.760{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625464Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:00.228{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6769A47C4B1F4AEB8456C5785D6C69D4,SHA256=7723FCBE193DB1287B928D58803370A0F43B6998A69E39D508F0B206E1C74E0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625467Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:01.744{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A73E5FE70C1CDB69B4FE502271DC26C,SHA256=57E09C3C07E91C1DFD3E61932275E4406B9AAC4EB1A4359F92B8B1FBEDDBC189,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625466Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:01.260{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF967365E763BCEEC0E9958059C4E7DF,SHA256=3A12C6AB6441ABFE44A5D5478B012CCF6501A391BB4EC0215416FEE2AC3EE6A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686032Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:28:57.625{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64440-false10.0.1.12-8000- 23542300x8000000000000000686031Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:01.763{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=903C57CB2722D6A77ADC05F69A598BEB,SHA256=CC342E2DC3F48BB60C25611F7D4511AC91559103E23501FE3277E530ACE24037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686030Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:01.435{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F04FF01605FBBC3CFE355D95A3FE9E54,SHA256=C56C5C16D82CB440130E67613CC630171538EF98A95FAF262CB7DB00D4DA5AA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625470Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:02.890{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3A71BF593A9A92C5C698CE66F789A629,SHA256=BB495FA3145DA04509DB5ADB6562A7373DBEA27C9C512DA6DB1E3A216E18EE05,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625469Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:28:59.605{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51716-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000625468Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:02.260{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42F4C598BDB0EE20E6E76FF38910ABF2,SHA256=FC45EFB1897E9D620A61B58261C0F4380791326761441F863F8C881EC435FC68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686034Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:02.878{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81075184CBACF06354A5D1C8B03B8151,SHA256=814A8C04572E466B232C177FCFA2B4ECAC45F009523E5C1F0C423A7A2F6DAB49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686033Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:02.440{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=322D7E0BDEEB1C24F309CE5B7C41421E,SHA256=4BC1237FE278C590C306B4EE0C6E47BD28850DCEA04E2E0311F44DE81192CA49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625471Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:03.265{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9B494458EBE9184A8081C4DE5648C7C,SHA256=36253F76FAD412B1AC3445CE52694E5E71C66B1D45012552281F87221E48359A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686036Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:03.800{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686035Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:03.456{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8DFA64741EF4B328EA6F86B37AA69DA,SHA256=F871CA88C0C2FCBA99B07416A8C4475E95613EA0389413E540E59DFCF0211FD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686038Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:04.471{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48A6D91CCEAF6F101086187A28A2D916,SHA256=2ECDE4430150BE152248E287742E2AF8002FCBA6491FA63E73EFFA4C6B25CAEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625472Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:04.296{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AEFA687245DE1BAF69E9B462D70F316,SHA256=D1C53D4E67E8D56F438F54A1A8A62E12EC319FA13328E05434FF3D478E8F3817,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686037Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:04.175{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36F5294A767FC2A8EAA0CEAAF56A5259,SHA256=80138EEC0072897AA71F406C86EF8F36BF80D1FF66F9C30783DE9C4B2C389B05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686040Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:05.643{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0451B1C0D5156E773D4AC36C9B25856C,SHA256=C63EBF20AE83FD240425D68F8A0835CF27DE855652A5293DA3C48399A9AE5117,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686039Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:05.487{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48C078FC19C184D8DC67D725304C8939,SHA256=51A8935654A42098BD3E908BC84D0CF22009889A695B2566A0E353B193F11303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625474Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:05.327{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39914C81CD2ED3F6C1C0CEF4F66F59F7,SHA256=CC8982575CCD21A88691CD384646D042FA67EB1F9616E2BBCC79AAE31C933637,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625473Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:05.187{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DE1C5E896BC0E2E217FB1DC1EE66F1A,SHA256=E45D353E61014AA4FF0E947F6A8E525E6D150549B805252F6077F13E1C5FF979,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686043Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:06.784{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD209BA0B77FB5EDBC7A9AA5861AB1FF,SHA256=97CEDCFBE7DFD130D5407876AB668370B84CB9E188437CCDD0A94B7595E27863,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686042Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:06.487{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAD1584A22C034DFB541192620FB0644,SHA256=8EA5E56FA98AD302E5ACCBA4FD81274042304D97B4A4F86D8AF8334EC36BC8F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625476Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:03.048{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51717-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625475Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:06.343{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2115C15E83AAEF91D6E562905596358B,SHA256=5432D0FAFBBB26C7796FF1239B7878A1E585D0FC6B35693DC40B80C33907A980,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686041Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:01.192{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64441-false10.0.1.12-8089- 23542300x8000000000000000625502Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:07.703{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C3BE013CF289B2DF0550BBC1C27F36D,SHA256=E5B339A06E4FF3785D140FA1D2EAD1362A8B8C48D8A79CE580D207F687203034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686045Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:07.940{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FCF4D037BA7845E643E231E343F4965,SHA256=068E3EB0F7F54E7ABB686E31673EA19A8CC0E80457A01359DE546A3DA9823123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686044Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:07.597{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAC52AC8352517184D5F42690FFA1746,SHA256=292B8114E3203617974CE85F5CE9F8C4EF6D8818F5430A334248D2B89494B55C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000625501Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:07.312{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625500Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:07.312{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625499Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:07.312{97C2ED32-772F-60B6-0B00-00000000C501}628676C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625498Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:07.280{97C2ED32-7730-60B6-1600-00000000C501}12045548C:\Windows\system32\svchost.exe{97C2ED32-0353-60B9-5C5D-00000000C501}4952C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+3ef6a|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625497Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:07.280{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0353-60B9-5C5D-00000000C501}4952C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625496Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:07.265{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-0353-60B9-5C5D-00000000C501}4952C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625495Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:07.265{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0353-60B9-5C5D-00000000C501}4952C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625494Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:07.249{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625493Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:07.249{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625492Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:07.249{97C2ED32-772F-60B6-0B00-00000000C501}628676C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625491Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:07.233{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625490Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:07.233{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625489Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:07.233{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625488Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:07.233{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625487Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:07.233{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625486Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:07.233{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625485Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:07.233{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625484Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:07.233{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625483Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:07.218{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625482Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:07.218{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625481Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:07.218{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625480Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:07.218{97C2ED32-772F-60B6-0B00-00000000C501}628676C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625479Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:07.202{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625478Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:07.202{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625477Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:07.202{97C2ED32-772F-60B6-0B00-00000000C501}628676C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625508Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:08.846{97C2ED32-7730-60B6-1600-00000000C501}12044296C:\Windows\system32\svchost.exe{97C2ED32-0354-60B9-5D5D-00000000C501}5392C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625507Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:08.831{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0354-60B9-5D5D-00000000C501}5392C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625506Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:08.831{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-0354-60B9-5D5D-00000000C501}5392C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625505Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:08.831{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0354-60B9-5D5D-00000000C501}5392C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000625504Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:08.721{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71083DBDC9B53627D1FC7F85B7638ABF,SHA256=BC42F4A13C19C2FBCE801CB159B44727005E4612EAA346F99F6C7BBE5133A833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686048Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:08.612{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=417914DB9F60BF2A8DF640D599F14803,SHA256=7F8D299AA68CD26AC5206FB9AF68EE4DCA2BF977DB7CAE52F47FA0172E9CBCAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625503Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:08.250{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E4C3B2746B1474DDCE3B36208ACDF48,SHA256=C791E7DA1348EE880930C7E8B5D234FE0F01F390AB5528A92A40D6DF00F51C6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686047Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:03.224{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local64442-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000686046Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:03.224{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local64442-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000625510Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:09.833{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=397F003E024BC83B4D8CE136A9635AB4,SHA256=21018F9495C60C1C6EA917701D4D97554FBD9CFC9570F72B3F1DC7B081CD72C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625509Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:09.723{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0EA940D42DC1282D650C223BFCE23F8,SHA256=7A5D2A048B0A7AE3848F895330D427D73308577467CF3AF98D846478B58345A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686052Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:09.721{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-752A-60B6-0100-00000000C401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000686051Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:09.643{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37DFAE754E0612744DD981503F797700,SHA256=E5187D8ED03AFD74045C50C8D347A46E9F3C61CE122BDF68F65CA73643966618,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686050Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:03.645{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64443-false10.0.1.12-8000- 23542300x8000000000000000686049Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:09.065{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA4D7EE2757F2F43B105CF44A6F951FD,SHA256=40C0C6CE4914167CA3564E210EA2F05EEEBED279F0AF91A8254E3167CB4E80F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686060Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:07.133{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local64446-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 354300x8000000000000000686059Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:07.133{D419E45B-752A-60B6-0100-00000000C401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local64446-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local445microsoft-ds 23542300x8000000000000000686058Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:10.800{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5A9C243DDAFC418FFD0FC287EDDE354,SHA256=DDDF2A73579F6E38FD2C5A64EEFFB52DCA221002F3B154BDE4410EF68F66C78D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686057Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:07.031{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-233.attackrange.local64445-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000686056Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:07.031{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64445-false10.0.1.14win-dc-233.attackrange.local389ldap 354300x8000000000000000686055Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:07.023{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local64444-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000686054Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:07.023{D419E45B-7530-60B6-1600-00000000C401}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local64444-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 23542300x8000000000000000625511Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:10.723{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF83E4455359C6F47E8B9C4F93E42602,SHA256=455B41C24C40F642A91AF56079240C241D6198B082CA8E05BD8A1D8CE4DD2A3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686053Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:10.331{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F02D3B4D5D184A3CA95D1FAEA8BDEF39,SHA256=67406E83533007407912FA40B1682C3C3C53BF509E06BD8B3C73D809C450E148,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686062Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:11.940{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A342B7E552C98F4630285A140EF1EB99,SHA256=6CC104BA63CB91A4ED27A2BF4AA2B69EB3EF9EC5F53F7533A01B65C1B96094A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625513Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:11.739{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4944331C77A42A5F6F094232DC2DBB32,SHA256=3916C3E8912CDF03F4B6412AB15F2D6FBF87546055E4199FDA598632757574B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686061Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:11.675{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=448D7E23EEAFC998F5D4115A385F1354,SHA256=C7DD64497D10B29B5769966DEEA7C4FC55A42FD35AEB6B063D01C51A5E5DC9D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625512Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:08.098{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51718-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625514Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:12.755{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C61E16B78501AFC864750BEF5D7E63,SHA256=A4F7EC3A98040BBA872AAFB421765C539FFCE43F0CE0CA7641E1D11F6CD44F02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686089Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:12.454{D419E45B-0358-60B9-F152-00000000C401}5708ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686088Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:12.454{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=54FF3833FAC73129DDE44397037321DA,SHA256=F7DEA4953C7AD4817378681A0C92B817C634000A2BC95A9CF7791605C3A4676B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686087Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:12.407{D419E45B-7530-60B6-1600-00000000C401}12685808C:\Windows\System32\svchost.exe{D419E45B-0358-60B9-F152-00000000C401}5708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686086Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:12.407{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-0358-60B9-F152-00000000C401}5708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686085Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:12.360{D419E45B-752D-60B6-0B00-00000000C401}6324184C:\Windows\system32\lsass.exe{D419E45B-0358-60B9-F152-00000000C401}5708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686084Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:12.360{D419E45B-752D-60B6-0B00-00000000C401}6324184C:\Windows\system32\lsass.exe{D419E45B-0358-60B9-F152-00000000C401}5708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000686083Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-CreatePipe2021-06-03 16:29:12.344{D419E45B-0358-60B9-F152-00000000C401}5708\PSHost.132672113522653743.5708.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000686082Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:12.328{D419E45B-0358-60B9-F152-00000000C401}5708ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_nh05j1eq.aoc.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686081Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:12.328{D419E45B-0358-60B9-F152-00000000C401}5708ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_rv3304ph.u2g.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000686080Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:12.313{D419E45B-0358-60B9-F152-00000000C401}5708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_rv3304ph.u2g.ps12021-06-03 16:29:12.313 10341000x8000000000000000686079Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:12.297{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-0358-60B9-F152-00000000C401}5708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686078Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:12.266{D419E45B-0167-60B9-A952-00000000C401}70324392C:\Windows\system32\conhost.exe{D419E45B-0358-60B9-F152-00000000C401}5708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686077Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:12.266{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686076Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:12.266{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686075Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:12.251{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686074Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:12.251{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686073Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:12.251{D419E45B-78A0-60B6-AD02-00000000C401}2284924C:\Windows\system32\csrss.exe{D419E45B-0358-60B9-F152-00000000C401}5708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686072Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:12.251{D419E45B-0358-60B9-F052-00000000C401}61966116C:\Windows\system32\cmd.exe{D419E45B-0358-60B9-F152-00000000C401}5708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000686071Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:12.265{D419E45B-0358-60B9-F152-00000000C401}5708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe import-module C:\temp\AzureHound.ps1C:\Users\Administrator\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D419E45B-0358-60B9-F052-00000000C401}6196C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module C:\temp\AzureHound.ps1 10341000x8000000000000000686070Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:12.251{D419E45B-0167-60B9-A952-00000000C401}70324392C:\Windows\system32\conhost.exe{D419E45B-0358-60B9-F052-00000000C401}6196C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686069Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:12.251{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686068Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:12.251{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686067Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:12.251{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686066Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:12.251{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686065Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:12.251{D419E45B-78A0-60B6-AD02-00000000C401}22841824C:\Windows\system32\csrss.exe{D419E45B-0358-60B9-F052-00000000C401}6196C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686064Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:12.251{D419E45B-0167-60B9-A852-00000000C401}3527024C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-0358-60B9-F052-00000000C401}6196C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11e38184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d83546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1126802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112cba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112adaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112adaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ad93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1129e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112abb9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d83546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11290363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1128f8d5(wow64) 154100x8000000000000000686063Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:12.258{D419E45B-0358-60B9-F052-00000000C401}6196C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module C:\temp\AzureHound.ps1C:\Users\Administrator\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000625515Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:13.755{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72FB941BBCCA4E050B1EC58EF8266F8A,SHA256=78C0B0FC18A1F7941878A614104C6FB720538527BC6C6CC575DB96A1B27658B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686108Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:13.863{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-0359-60B9-F352-00000000C401}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686107Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:13.863{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686106Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:13.863{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686105Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:13.863{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686104Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:13.863{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686103Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:13.863{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-0359-60B9-F352-00000000C401}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686102Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:13.863{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-0359-60B9-F352-00000000C401}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000686101Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:13.864{D419E45B-0359-60B9-F352-00000000C401}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000686100Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:13.269{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1436417BEB9F5737387431828F7AF3CD,SHA256=77051BBFA6489EB9E336694BAB4B68F6FF292A9B06B730D7E4BEAB5F35DE04B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686099Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:13.191{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2251D6421FACCCD3B95A11D90D92A369,SHA256=5BD4A2B1D32BD2B5B1BD5FADE225FEA56631DAB8F52D09A6997F6E25935FA975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686098Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:13.191{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1584991E6D0D795F03BBA25DDE0809DB,SHA256=2E7F0D84517B9B9A3B555F3CC06CC0BE58F9EC1510EDA5ECAA5B4FD87A4C8C9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686097Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:13.191{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-0359-60B9-F252-00000000C401}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686096Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:13.191{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686095Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:13.191{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686094Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:13.191{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686093Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:13.191{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686092Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:13.191{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-0359-60B9-F252-00000000C401}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686091Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:13.191{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-0359-60B9-F252-00000000C401}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000686090Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:13.176{D419E45B-0359-60B9-F252-00000000C401}4952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625516Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:14.755{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1FA230E405CA6A33317DA38CE299AB8,SHA256=7D258A2B7A33DF2EA7FDBCF254B43FD905CED3E0B31880B25270DE46F6FB2F3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686121Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:14.597{D419E45B-035A-60B9-F452-00000000C401}16164892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686120Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:14.442{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-035A-60B9-F452-00000000C401}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686119Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:14.442{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686118Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:14.442{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686117Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:14.442{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686116Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:14.442{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-035A-60B9-F452-00000000C401}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686115Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:14.442{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686114Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:14.442{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-035A-60B9-F452-00000000C401}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000686113Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:14.432{D419E45B-035A-60B9-F452-00000000C401}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000686112Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:14.425{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4033AD0C119766D0FBC79E6974C6E43C,SHA256=AD6101BDC136FE6AA62BBB97B2CB52DBAD75602288F992934A00EEA180A10CC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686111Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:14.425{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=714CA71683821A28C1E6C71CBAC357C8,SHA256=A7197DF5BD2B1736F6B0AF33A524749FAC258DF3F09AC0721C05851095FC2776,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686110Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:14.050{D419E45B-0359-60B9-F352-00000000C401}48964416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000686109Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:09.549{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64447-false10.0.1.12-8000- 23542300x8000000000000000625517Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:15.755{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3F617E09AE21DDB981BAA6881540E98,SHA256=2B6832F0A8B67F4D6CD015AD8FB37BAD62FCD6606B482E7B99A807AD84581F5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686140Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:15.785{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-035B-60B9-F652-00000000C401}4976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686139Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:15.785{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686138Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:15.785{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686137Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:15.785{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686136Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:15.785{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686135Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:15.785{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-035B-60B9-F652-00000000C401}4976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686134Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:15.785{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-035B-60B9-F652-00000000C401}4976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000686133Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:15.786{D419E45B-035B-60B9-F652-00000000C401}4976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000686132Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:15.566{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB88370325BA10FA92FFEB4B3974DCCC,SHA256=F4C357B3ACB28F6375AC07DC089DD2EAC859F65C02016C12AEE8D11EC4C7960B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686131Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:15.441{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D48C761158DDCE09EA8F74E163EC5906,SHA256=BB2A25FA4D1F8D06C3F025B809C296D472D550F8BD474118547B84275B0252AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686130Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:15.269{D419E45B-035B-60B9-F552-00000000C401}39081108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686129Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:15.113{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-035B-60B9-F552-00000000C401}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686128Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:15.113{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686127Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:15.113{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686126Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:15.113{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686125Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:15.113{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686124Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:15.113{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-035B-60B9-F552-00000000C401}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686123Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:15.113{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-035B-60B9-F552-00000000C401}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000686122Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:15.114{D419E45B-035B-60B9-F552-00000000C401}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625521Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:16.770{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5AC26684D847E97F7CE75BC6E75FF37,SHA256=FFC57561F5D338A4D0F9D558AEA1BC3FFCB58112FAF716AE7556248C8E6442AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686151Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:16.754{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D00DB4774F70151534CDB1FDFE6F1DBD,SHA256=4CE89F6D0D7FB9532A5EE67039ED99D6E3FD4CA78AB9AB6FE34C2E66F6C9EF1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686150Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:16.644{D419E45B-035C-60B9-F752-00000000C401}56647048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686149Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:16.472{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-035C-60B9-F752-00000000C401}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686148Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:16.457{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686147Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:16.457{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686146Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:16.457{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686145Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:16.457{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686144Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:16.457{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-035C-60B9-F752-00000000C401}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686143Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:16.457{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-035C-60B9-F752-00000000C401}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000686142Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:16.458{D419E45B-035C-60B9-F752-00000000C401}5664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000686141Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:16.457{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC7AD0A9B2E6BF514A7350ED866042CD,SHA256=4D2CF202D42ABEECE1E2B7C36FABED0CFCFC832F4BE0F756CDFE560201CF937E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625520Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:13.866{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51719-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625519Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:16.208{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C73E9DF13F61E566B9BC75647485E845,SHA256=1985FDF398D51E6C188D6D02984301F074DD3DBD5FAB99E397F8A0DE9FA63F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625518Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:16.208{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D15608EDAA0EF1CAE12DE74E04D371F1,SHA256=777E4BD95FD87A5EAEACEEB45103C7FE2B43588D01968B4D65BFD03F0D08CEEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625522Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:17.786{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D1CB4F6D01B29ACC944F21D537B3778,SHA256=96078BA2D9114BD259F5603DC00625E0FDED1CBC6BDF1A26A1CF67AA31A8726E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686161Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:17.910{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C4D3A7E9B8F6A19013A0D8B5F998D5F,SHA256=FA87E1BD18B3B2F86DB72AC06BAC486B0CF5E2E09A5C53569326E889D7EB4108,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686160Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:17.488{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FAF6F71B23D593C9D96A470F5137B5B,SHA256=909166DBA53A1D168D9FF7966E2BA91CA612746A04B20711C6D92D16846D99FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686159Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:17.129{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-035D-60B9-F852-00000000C401}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686158Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:17.129{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686157Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:17.129{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686156Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:17.129{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686155Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:17.129{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686154Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:17.129{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-035D-60B9-F852-00000000C401}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686153Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:17.129{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-035D-60B9-F852-00000000C401}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000686152Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:17.129{D419E45B-035D-60B9-F852-00000000C401}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625523Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:18.786{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A0EF928F1DE563FA77E268F89AC0CBB,SHA256=15084CD89EE70D47F5DD7AE2AF1C634AC9DBB3053DF6E25A46A58E9D50F1683E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686162Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:18.519{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEAB71654ABAE69BA3A11F7F18144266,SHA256=6B24F76D8B43697378C036FBEA37DD6B864CA6A5B954AA57790615044C122334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625524Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:19.786{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77A4CEBD5A4033C93F68CDB966EE894B,SHA256=81C976398BE4CA4E95479BAAC4DA1BA3E9E2288811F7C002031F69866DF4A186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686165Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:19.582{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72E988E0C4E3FD92D4FAC238D3FBC658,SHA256=2226C20C8B75C93C4764EAF6198B865A43C72847F741CB02481BA5DC6A74CE5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686164Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:14.552{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64448-false10.0.1.12-8000- 23542300x8000000000000000686163Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:19.160{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A069155BA0F87F1450212CE75EFD9AB6,SHA256=9FC5D55A9411BDB1F9E415518C5DB2E038D307A35641CD4563EDE596F9140EC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625525Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:20.786{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E041AFE5DB0636B87F4C1305CC8A61D1,SHA256=27C67A4B35663B684A39C238025FB0AA3AEDC34C83C5DBF51536C082784CF582,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686167Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:20.613{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FFCE09885F98BE9A0060F5245D2B8CA,SHA256=CEBE1493E0D745AD5E708B8801CE49B022E7433F48B1CC424ACEEF5EB7D1551B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686166Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:20.410{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89D7F346D2D767C98CA656149388C5DD,SHA256=3B7CDEC6A85015C20FA799E6E13BFD73364A036C165AA75B8273796A21094265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686169Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:21.769{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AD0535D53FE3BCE56685B554D5D1323,SHA256=D2FAE89BBFE1D26FB6D3B172C5340AD2BA52C8A04CC581F0122C1A9D9F06F5BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686168Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:21.769{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DB12C5E65FC95AA9B9137D47FF02373,SHA256=633AC642C7772DE0CF0A7D187CF74C7F2D63B114B3EC919773000E61B9B3E9F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625528Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:21.786{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32CBC7F2D588E7DF01CDDC330A830101,SHA256=281846F997D5471C2B1089B3FB8CE7521C97C183CDFE1F3A5EC1E70D5FFB4F37,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625527Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:18.881{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51720-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625526Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:21.036{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C73E9DF13F61E566B9BC75647485E845,SHA256=1985FDF398D51E6C188D6D02984301F074DD3DBD5FAB99E397F8A0DE9FA63F60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686171Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:22.913{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57ECF027C5F6CD97258315FC070041C5,SHA256=84C1FBA330ECEAEA73EB1730F68E47298F13C236EAD72DBD3111BB9914FA615A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686170Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:22.772{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4170A5EA8CF3B7EC5B141917311B34F,SHA256=8B3A60372E51AB9138940344963F97F2E09D80975DFB59995ADDA41A23B6D72A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625529Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:22.800{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=922450247FB2AFE136A55B5A9EE814D5,SHA256=61A57F1EBEAF42B15E9FA20AEC795FC1FBE92F09A71051B9D6F6546C5C12A972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686173Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:23.944{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F3D7092C97A4B582511762E2CA872F6,SHA256=1560BE6DA355E44D41BFBA8BA5BA00B50B8AC53530E8F6CAC36F8E48AD6429DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686172Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:23.819{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E498ECE0DFCA99B82ECB503ACA42B0A6,SHA256=49BFBF4B8501EF60DD0E467C2A084C189C0D757EEA9079193EB634932C98CD2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625530Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:23.800{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F35DA126C75CDFE8C83425292AA9F76A,SHA256=6A8F0ECEA24F383500026AC72CB3CD108A8AD29914DA13EA0344251A9978FE6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686175Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:24.882{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE6A6B807F2F4F0260051AA096597519,SHA256=50300E5E12FBBA0F7580B4A7B95B30087C11CD6A826A34CFE42C67F34C186922,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625531Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:24.816{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6C0C8652331455C1D09410F630F8DA8,SHA256=4B9C70F66118D360EEE52F4B2655E0F8DD850D35211384ACF3CBB22D332E83CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686174Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:20.540{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64449-false10.0.1.12-8000- 23542300x8000000000000000686177Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:25.882{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0E230C29DCDDF1CC22FFD573255F58,SHA256=34D61F6A1BC0CD5705D85C68EB7340228B94BB8D007A548A4FC45C13994F24E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625532Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:25.816{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92862A23C33BA34C74624507BAEE189A,SHA256=C7122AF2A9128C0FCB99D2D7C37233AF33176B7302F097F65DD35E960AB67461,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686176Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:25.116{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0FA477612F711917AFE7429901D0188,SHA256=1EBE7C00FA0F1126AC00D0666249C030FB0F2F32BB7EDBED47C233D2CC549D0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625536Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:26.847{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A7E1455CB38C1DCFF24AAEB7A54D1D6,SHA256=D0A5E50DB3974FAC06E96CA5709BAD1E44B85232856992CD5CBD42D2BBD7550A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686179Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:26.897{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=675DEFAD2B30115666B4223E7C741D6D,SHA256=0293F7CE48A92CDE9E38DE389AD82A6BD6D0F9E667ED29390F1EBFA938AD8AD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686178Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:26.225{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B730B930E6761F92E96715F07C8CD23,SHA256=005CAB69E70E39D01484C178EC7F737FCB72E62FA0DCBAAEC6B86003D39492D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625535Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:24.005{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51721-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625534Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:26.206{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9B059539904DCB8B26133210643B540,SHA256=9F92881E9E5E7D56DA52593B1C7D6953485F467D95FB6F968D13329B743439ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625533Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:26.206{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A414553A322BE0B0CA5E6FD1F7542A2F,SHA256=6D73C95243F9427E8D7DC86574865E72CC301B0C599865ED19A72901C8E3F42D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686181Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:27.929{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C01073748CF3D8300E578DC4F45AF174,SHA256=ED692C95301F36F6CF6343FCB05B772D5897B21B40C395FCFFDE80E72DA0AAC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625537Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:27.847{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C4B99DF8D5325D52A01BE982E7AD13,SHA256=EC6BFC478AEF56FC7E3239B2C7FDE9E2130E23537CEDFB0CF3A67458B8484691,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686180Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:27.366{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3D2C7D21FB705991C5046608BDAA136,SHA256=E91C0D7D5B434535081CC46F5ED8B2AF0F8A5D4C9EA4897E2146AF12C5061DA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625538Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:28.847{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9E419F94F64C75827EF1FE68A1F14F3,SHA256=E44ACA06D3A0D3A974A03DA44FB2EF16AEB75EA6CCC4E97D69CC6DE5A76393A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686183Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:28.944{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B81AFC2D9C7CDC343B8A73CF630DD99,SHA256=B9B1783E5E7F143C75B00AC15ECFE8349BAA05B22B0AF0C27512F2D168BC20EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686182Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:28.444{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63FF0F4FF74142DEB7BE2BD38FBCF722,SHA256=04D0D561C18506C0F1E66117E8D123BD45946519E3D1C0F2B398AF8D2303DA2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686186Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:29.960{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A3A73E28C31E8FB0197A9166D860B9D,SHA256=4CACA11AF8DED98EE74D4875C628B71ECB699A8E8051BB6B2EACB4FB1809E098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625556Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:29.847{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AF6C6B17ED5C573E757B6BC5CCA181A,SHA256=0C74CEF57D6B8FA03C817DB730D6E4B08C44B70943CE1B4669D8ECB1154F6563,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000625555Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:29.456{97C2ED32-0369-60B9-5E5D-00000000C501}3332C:\Windows\System32\Configure-SMRemoting.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000625554Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:29.441{97C2ED32-772F-60B6-0B00-00000000C501}628676C:\Windows\system32\lsass.exe{97C2ED32-0369-60B9-5E5D-00000000C501}3332C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625553Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:29.441{97C2ED32-772F-60B6-0B00-00000000C501}628676C:\Windows\system32\lsass.exe{97C2ED32-0369-60B9-5E5D-00000000C501}3332C:\Windows\system32\Configure-SMRemoting.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625552Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:29.441{97C2ED32-7730-60B6-1600-00000000C501}12042840C:\Windows\system32\svchost.exe{97C2ED32-0369-60B9-5E5D-00000000C501}3332C:\Windows\system32\Configure-SMRemoting.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625551Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:29.441{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-0369-60B9-5E5D-00000000C501}3332C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625550Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:29.425{97C2ED32-7730-60B6-1600-00000000C501}12042840C:\Windows\system32\svchost.exe{97C2ED32-0369-60B9-5F5D-00000000C501}4308C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625549Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:29.425{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-0369-60B9-5F5D-00000000C501}4308C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625548Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:29.425{97C2ED32-0369-60B9-5F5D-00000000C501}43084584C:\Windows\system32\conhost.exe{97C2ED32-0369-60B9-5E5D-00000000C501}3332C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625547Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:29.409{97C2ED32-9094-60B6-BC06-00000000C501}9443580C:\Windows\system32\csrss.exe{97C2ED32-0369-60B9-5F5D-00000000C501}4308C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625546Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:29.409{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625545Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:29.409{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625544Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:29.409{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625543Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:29.409{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625542Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:29.409{97C2ED32-9094-60B6-BC06-00000000C501}9441324C:\Windows\system32\csrss.exe{97C2ED32-0369-60B9-5E5D-00000000C501}3332C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625541Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:29.409{97C2ED32-9D3E-60B6-7A08-00000000C501}33646132C:\Windows\system32\ServerManager.exe{97C2ED32-0369-60B9-5E5D-00000000C501}3332C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1459ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1454f0|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+fa3761|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58dd95|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+559c06|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+558e46|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+70e8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+c11a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+7ce0 154100x8000000000000000625540Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:29.407{97C2ED32-0369-60B9-5E5D-00000000C501}3332C:\Windows\System32\Configure-SMRemoting.exe10.0.14393.0 (rs1_release.160715-1616)Configure-SMRemotingMicrosoft® Windows® Operating SystemMicrosoft CorporationConfigure-SMRemoting.EXE"Configure-SMRemoting.exe" -GETC:\Windows\system32\WIN-HOST-236\Administrator{97C2ED32-9095-60B6-4298-3A0000000000}0x3a98422HighMD5=59EF03A3CE316E02EC6C916E86715282,SHA256=E26FE2AD8452293B4B1E957B21371693996941A4D3D2371E7E51A35892C59418,IMPHASH=C13E4B07CF35D56AB40B9BAC4947EC02{97C2ED32-9D3E-60B6-7A08-00000000C501}3364C:\Windows\System32\ServerManager.exe"C:\Windows\system32\ServerManager.exe" 23542300x8000000000000000625539Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:29.362{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=A274E1596A36C91498A14EC453F360D6,SHA256=85F9E3A2AC96A8CE30175EFC97FD5816A983614305C6753DE61D03176164A134,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686185Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:25.664{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64450-false10.0.1.12-8000- 23542300x8000000000000000686184Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:29.585{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF036CBA7664BBBA41BF00FEF98AF44D,SHA256=56AE45DB4D2A80C6865BBF93B6645530DF940E6F4A0CF0B2F3DF6779D5087B1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686188Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:30.976{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B41B81E63821C1CC0EFC251245824B15,SHA256=11D92951D3E6B4F444066490AA571886E1A50B7DFC34B306A6BC6DF7B4795A4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625573Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:28.322{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local51722-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 354300x8000000000000000625572Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:28.322{97C2ED32-0369-60B9-5E5D-00000000C501}3332<unknown process>WIN-HOST-236\Administratortcptruetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local51722-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 23542300x8000000000000000625571Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:30.878{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCEFFE4249BB841D53B17C26C0A5DDEF,SHA256=43757E4A53346B189664A48819E8E0AC6EB4622D4B403FADA92D598D1CC82717,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686187Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:30.835{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C3C196735658D5D93C396A7E2024CB2,SHA256=6C13566944AF3388199E0B97C8FF92BEEBE550D155E98154E423D7658E2218E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625570Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:30.550{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DB8C6E2964F29C7E10AFFD93A58E4E33,SHA256=AA05839BF4F1068AFF0C37018678A189CE62971B9A7DA02CF1C8044B8FC686C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625569Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:30.550{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A09BE1E7A2A039A62029E0F44AEC71D6,SHA256=49C6C20C0098CF87532CCBA1D4C67AC3EDE3E4A748DE30C1A01BE9F5DE6F0311,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000625568Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:30.441{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625567Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:30.441{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625566Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:30.441{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625565Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:30.441{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625564Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:30.441{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625563Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:30.441{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625562Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:30.441{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625561Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:30.441{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625560Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:30.441{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000625559Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:30.394{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9B059539904DCB8B26133210643B540,SHA256=9F92881E9E5E7D56DA52593B1C7D6953485F467D95FB6F968D13329B743439ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000625558Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:30.378{97C2ED32-772F-60B6-0D00-00000000C501}7881872C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625557Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:30.378{97C2ED32-772F-60B6-0D00-00000000C501}7881872C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-1200-00000000C501}1016C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000625575Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:29.021{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51723-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625574Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:31.894{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5042410114FD3D384106526C7F23C04D,SHA256=0C46C1EDBFDDE573580D9661E9F3FDF35E8DACE117E97B18920A14E90D32399C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625576Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:32.894{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58527F5348871DA7DBB6C5CBA8662662,SHA256=C40D2BD9449B892C57F27FC56F06F542EF81A8A2EA7544D45351837C7E963142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686191Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:32.819{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A1FB3D415351B973E13ACFCE61798C91,SHA256=34394F77624E2BFACCF48EEA0F6069981A8F67AC3139FE208863CD7A8A0C296C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686190Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:32.179{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD0B0C92B21F7D7F0455E4D43EBF29FC,SHA256=E2842C3DDB34D933DD50238D55F35EDDEEEDB3C15191858A861EE8E100ECCAF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686189Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:32.100{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D2D07427C73ED52CD5877CF722C5BD4,SHA256=F6F53D68EB9CC956D8CC2961DF7D8EC055B7DAD10425E28044FF4EA4BAE0902D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625577Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:33.941{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7006B8E6CAC535C0E3066AF1D1B5863E,SHA256=ADE5C88045B3DCB31D08B7480A20D5FB0C1F5695DBADD91E98597BE1AA3DC408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686193Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:33.335{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF4550C8F8F565DAA4665159F2F176AA,SHA256=683AC6C55785A17CE06F686D3D1646A073444F935541E4B653991B96C7806EB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686192Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:33.100{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D1E6252A5AAA62EB1E196A7E0F7C23,SHA256=ED26A2F93EF95BAA14375565EE86BEDA908E5A4D94EBD8D1AE98D471392E7C6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625578Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:34.941{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B9677F61B9593ABD5FC32AFFA997596,SHA256=3F2B6A6E0D09FCC940CEE42B4CBBA055D34CA6EFBA08BBE77323BF5733A60D04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686195Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:34.475{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70265000F925560C62D570B02ACB8C13,SHA256=48F81EF02BE9F2247FE90542BDB6CF0BEB016F31872460489E0ED63F14C15FA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686194Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:34.132{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59AE12D9F6F6BC2E11EB82E175AFB731,SHA256=C9CEF2639223DE4F3617D9FD7748362F42B0976FB15FC0D9944703EF91339681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625579Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:35.956{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEB01278E5653863168A05069E579781,SHA256=F6F87A5918F3E7E310A3104F14E2E9244C9C076A8352184778F4C31E0C044381,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686198Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:31.524{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64451-false10.0.1.12-8000- 23542300x8000000000000000686197Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:35.663{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=289424D46B3B048B57C65309C42FB683,SHA256=9C58D76C0A9BA21C93EEB0B1EBBF6DF761EB4EDCB7C16AE9D698CE9F68A716EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686196Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:35.163{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3FEEA0158745BBAB22FD302BC070F91,SHA256=5853A70550DF27D4E7D3AF15A9CAF8710249EB7511C1792DAC3FE294D58BBE11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625580Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:36.956{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1877F84EC9F9240E0EF01D89CE92875,SHA256=8C8599BC43C2435B8E5685322D39DFCA3911957B97AFBD702F810152E28AC9CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686200Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:36.866{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72FBB2324C29C44B0D32C99145B3C25F,SHA256=803E1D8422FF600D23F0797DA30C7A3D4A2E32642B37BA3B60F9513144B6EDEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686199Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:36.179{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=278457BF94E49C04B2486B28340D572D,SHA256=284C9D310F73928608F3E5B92E1963631440A46660A470BB513073CB3F26AB7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686201Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:37.382{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3989DAD2FE63322ADA7BAAA0AFFAADC5,SHA256=4F03E90BBF47EC4E88A4D2906B335281E69C437A8CCBE385116C3360E2D231AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625582Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:37.222{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0057ACD09177CE354045FF7E85E2DEC3,SHA256=6B09A2D06AE9E66C1211577168F6FBE6C5BAD6C711DB8F28CA6563E925A8B4F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625581Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:37.222{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8439066B5F49550DE7CB02E9AB1DF109,SHA256=4D196B5C4564A65E98F4C4780098C1BEBB64292DC64DEAD8CF2313BAFC41A7A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686203Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:38.460{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=502B9AFD023FA4012932CDE5E9830068,SHA256=ECCDFBC929D7CFEAF95601B81BCCFA036E36C67C0677F6993D51E7EC6D83C41A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625584Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:35.052{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51724-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625583Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:38.003{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4240D0CBB49FA58FF3C6484EB7F45A92,SHA256=36977F154FAF7EB61F5ED9FE19A3A69CD5F7661BC1B4A86A910CD79D516DC182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686202Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:38.366{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA78650BE4AC912B1B7CC96378A1DB10,SHA256=0FD12352A93B5B0B3726D39DE4C8A9F8164A0CBAEBC715023A872F9A6245936F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686205Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:39.663{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55D158A39183A6443011A6859456A1BC,SHA256=87F41984E21F356DF717FA409BF03F953723358F62AADF59EBFBEA6A36A00B69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686204Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:39.475{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE8406256F495325E2E2E171E731341D,SHA256=6D51B0D20C5FC8DD4CD021D7B7096759E34F87628163CFAF8343A5613C67B6A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625585Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:39.003{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14D7D8D4D324C2EC552A9B49415C03F5,SHA256=102DB31F35AF56258EA49E73DD9F1E9B855C503CC7BEBB15F9FD1FC81E1781DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686207Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:40.913{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5A9697E837E8BCE902B171D67B0D701,SHA256=B8B3C3F05F384AB118CE63DA770D1DDC55846B055413FCD242152FD9F870C0A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686206Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:40.491{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA33C738883E6D62EEBA2A1E54DCED80,SHA256=8A8EB5DDC6A989380BC19EE392C5BCB08288060F23EC27D5F2C5202CC64D32B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625586Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:40.003{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56163DAB2E96B39E88B4825A2F928420,SHA256=5522B5B5E3042143B8DBA8E0F2052BA7643FF66972594946A21CE0D8A2DC2FCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686210Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:41.976{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7005C261D2BFD36C457C8B00EE39BA5,SHA256=D7AE0D160914B3AF46AAB6D2CA932C9C90AA14839BFF36EC1C83D714F4441CEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686209Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:37.493{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64452-false10.0.1.12-8000- 23542300x8000000000000000686208Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:41.507{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A30B156CF5E6F9DECDCCA4E6B7AF4C4,SHA256=EF7C7CC97C523D8CB041A201BF006F43844D160869B8E59AD9B9391504396B91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625587Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:41.019{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF6DE273311CBB7158DF5A202C8D6171,SHA256=94F224839A748C8D1AC910BF1FD64C105DD71B053CB935050CD6766F835A545D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686211Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:42.550{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B11953C4F8DDCEBE39064DC8A64D29F,SHA256=891F0C0AC5C3CBAAD1A852EB5D2CCD315A5DB37599B91E6E961B50209E5C74B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625588Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:42.019{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A7608A26799EF8E2C0D52EE90E98FD2,SHA256=BA516F9BF59670B718F3F4B3E912312BF7787B8FEB84B20F75EBECF2689FAA3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686213Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:43.660{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C58F3D9E71E04EF8BCB1A4F34D192C41,SHA256=9A8F5FF71F56D1666873828F17CB1E25B770F408D872F6F0830294BD1B87DB9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625592Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:40.927{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51725-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625591Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:43.218{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CD3CA807C7E5670E8B9B014DFDC9506,SHA256=F2D0E3DB1FD30618BB018151AE206100A9361C77AB02FF942BE8B73E6B6EA2DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625590Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:43.218{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0057ACD09177CE354045FF7E85E2DEC3,SHA256=6B09A2D06AE9E66C1211577168F6FBE6C5BAD6C711DB8F28CA6563E925A8B4F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625589Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:43.031{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA54246FF919FBF30E264E31862FCA4B,SHA256=672302B2CB02C22C315DB6D96BA16420DF9DB8C83D669876861F0180306D242B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686212Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:43.222{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68B9FBBC0633C433ADF4A4B8D7C28FD7,SHA256=0482D7E22472759C2F200F45E32ED11ABA7B4B39B1CD1438CDF4F3F214D9F455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686215Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:44.738{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A3333533C887567A505080E02C8752E,SHA256=EA2950298895B74417CB7D3016B2F9868DCC2529CE277FB35B14FB8FAC1D32AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625593Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:44.047{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9F5782A3975071F15F6FED826F95FE9,SHA256=5E49037E188090998240A8DD89778561832E4824AB60AF02A67B4D878BA277B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686214Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:44.722{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E50AC65746A9A8FC2AE9E9DAE5362C6,SHA256=D762AFE4CB0EFDE0B7D10B9C89469EF39206F9AF78B467FFE796EBE08AA62DDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686217Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:45.863{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49963706791AFD51A5F2C1D426B8AF12,SHA256=35E3D982B5BA617484A9614916D5F7B98EA213DD8723FE9F26E94E9584F7A402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686216Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:45.754{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDB998DEBA4F154F601D18F18568045E,SHA256=EFD1017909C776E52A3C21C99EE010DF81B1E19C2FE440D86CCEBB9A4A6DCF99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625594Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:45.047{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B18E5C0F32255517C9CBD710BBDC70,SHA256=54C3F8BC3EE26CC70119EBF3B43BF8931560960692190A549F412999BA6CCB9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686218Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:46.754{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B471EE253E3DDB0698F9C579FFD73C8A,SHA256=E7B49F9F90F2B478857B5EED2D298A88A7041C3BD8CEEBE73283E13BD3A1D9E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625595Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:46.062{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1D4349C6A0368F097F5174C39FDC3DD,SHA256=CD75CE282285ED5B57D9AAB7BFE3217EDA4145592792217001EF1ED145B21B48,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000625604Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:47.703{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-037B-60B9-605D-00000000C501}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625603Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:47.703{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625602Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:47.703{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625601Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:47.703{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625600Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:47.703{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625599Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:47.703{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-037B-60B9-605D-00000000C501}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625598Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:47.703{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-037B-60B9-605D-00000000C501}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625597Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:47.703{97C2ED32-037B-60B9-605D-00000000C501}3452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625596Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:47.078{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FE9233D787F8B390497D55132AD5AB0,SHA256=A4ECBB838D39FFE1850D874AC73897F3191B8E544B4223B09F52AB3448803B17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686219Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:47.113{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33BDFC4100E73123D8535FD104BAA80B,SHA256=829846770CB753CA5FB77EDFC6795B6D83EBE522CF87B8C53BD3DBE7BC79A49A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686222Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:48.144{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F94985598D83DA1F4634F2DEC34C3473,SHA256=7143BF8EFC8CC428DB8E23DF21C9DD1C54873E799412E9A78A3E5E5F7F1D3746,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686221Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:43.458{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64453-false10.0.1.12-8000- 23542300x8000000000000000686220Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:48.004{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26C808E2693701B7ACC30792549FC319,SHA256=CDD24DA33327CABB8669E44A1858B0F465C9B79EBA2ABD2AB389FDF4998348BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625616Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:48.937{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F784DEEE5E8F8240C482226A08775CC5,SHA256=04FBCD500960CB15484786E31E6ADD09990795ECF633AAE08599130CACE993C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625615Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:48.937{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CD3CA807C7E5670E8B9B014DFDC9506,SHA256=F2D0E3DB1FD30618BB018151AE206100A9361C77AB02FF942BE8B73E6B6EA2DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000625614Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:48.515{97C2ED32-037C-60B9-615D-00000000C501}4323228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625613Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:48.375{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-037C-60B9-615D-00000000C501}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625612Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:48.375{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625611Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:48.375{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625610Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:48.375{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625609Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:48.375{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625608Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:48.375{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-037C-60B9-615D-00000000C501}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625607Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:48.375{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-037C-60B9-615D-00000000C501}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625606Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:48.375{97C2ED32-037C-60B9-615D-00000000C501}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625605Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:48.078{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBAD78F0F16178C09E7543187BB67B6C,SHA256=FD178D4374747116FDC62EE055898BD2863D84A3A48C0C795A1811CD719C136C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686224Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:49.300{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27FC0F0F2BFAFB383F61DBD05B092EE0,SHA256=C2BA085CBB1CFE1EDD3930720A2AF8D47250BDCA1362530F39EC5DD585829945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686223Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:49.019{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FE4D0EF434D7E3F8FD396064A55765C,SHA256=026C628336929FC620F87284FA2AB0775D9F4D5467A94F369566C275CF52B6DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000625634Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:49.734{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-037D-60B9-635D-00000000C501}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625633Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:49.734{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625632Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:49.734{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625631Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:49.734{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625630Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:49.734{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625629Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:49.734{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-037D-60B9-635D-00000000C501}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625628Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:49.734{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-037D-60B9-635D-00000000C501}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625627Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:49.719{97C2ED32-037D-60B9-635D-00000000C501}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000625626Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:46.939{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51726-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625625Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:49.093{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B84553064D4865DD733FED7CFDE97153,SHA256=40DAA575A68E619B26DAC60B95BAFCCC88CA3AA1178C54F690A1E0403600BE31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000625624Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:49.047{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-037D-60B9-625D-00000000C501}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625623Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:49.047{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625622Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:49.047{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625621Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:49.047{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625620Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:49.047{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625619Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:49.047{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-037D-60B9-625D-00000000C501}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625618Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:49.047{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-037D-60B9-625D-00000000C501}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625617Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:49.047{97C2ED32-037D-60B9-625D-00000000C501}5188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000625653Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:50.922{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-037E-60B9-655D-00000000C501}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625652Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:50.922{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625651Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:50.922{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625650Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:50.922{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625649Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:50.922{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625648Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:50.922{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-037E-60B9-655D-00000000C501}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625647Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:50.922{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-037E-60B9-655D-00000000C501}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625646Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:50.922{97C2ED32-037E-60B9-655D-00000000C501}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000625645Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:50.375{97C2ED32-037E-60B9-645D-00000000C501}49962668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625644Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:50.250{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-037E-60B9-645D-00000000C501}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625643Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:50.250{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625642Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:50.250{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625641Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:50.250{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625640Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:50.250{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625639Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:50.250{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-037E-60B9-645D-00000000C501}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625638Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:50.250{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-037E-60B9-645D-00000000C501}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625637Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:50.251{97C2ED32-037E-60B9-645D-00000000C501}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625636Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:50.093{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978FB96DF4DB8D3AEC34142EEAF21FC8,SHA256=27E883CFB5AA5F826AA50F3E635E50131EFED719D8B76CD53A9E0ED2080A7800,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686226Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:50.441{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=448064C06798736C27F8F45E267BA188,SHA256=D6903D72E7A8C3E4ADD1EAE372CD96AE0C9919A016B8AB6B3D21E124B0D49E5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686225Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:50.035{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10679AFE49CCB2B285BA2A038271E306,SHA256=04D0019BE67CE55DE6A121BEA568770FACA83C5C99FF5F5925D593E755847994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625635Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:50.062{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F784DEEE5E8F8240C482226A08775CC5,SHA256=04FBCD500960CB15484786E31E6ADD09990795ECF633AAE08599130CACE993C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000625665Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:51.672{97C2ED32-037F-60B9-665D-00000000C501}11084904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625664Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:51.531{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-037F-60B9-665D-00000000C501}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625663Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:51.531{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625662Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:51.531{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625661Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:51.531{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625660Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:51.531{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625659Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:51.531{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-037F-60B9-665D-00000000C501}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625658Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:51.531{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-037F-60B9-665D-00000000C501}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625657Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:51.532{97C2ED32-037F-60B9-665D-00000000C501}1108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625656Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:51.484{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A29D705D273DB47E519991BA0A313397,SHA256=A90AF7BFF0B15D31C4602F86432B7D4FDCC481D102B1DC5D890257123DF1F5CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625655Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:51.125{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81389BB90D449F01101675C3BE66F489,SHA256=CA1E9D785E20765CEABDDDE6B198753C4F47D411E388AB02525C63799B6C1BBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686228Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:51.660{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A0898370B3D975CDC4EF5D9AD4F34BD,SHA256=053200E528C1306858E52878659C980B2D816A81434B29BF79C2996AFF77BF1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686227Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:51.050{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA4F668381A15BD70031DC652B943054,SHA256=F2E406E36C3C225301EC293F2D82F739A9D308B64FE337D1790ADCB2446411F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000625654Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:51.047{97C2ED32-037E-60B9-655D-00000000C501}1968504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000686230Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:52.832{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62DDE462D89572490ACDCB6DE4B9E605,SHA256=5800B37924EB814A9BE1EB8FA3E8A0FAE91116297328A54FEE1491A30A0421C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686229Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:52.066{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9AF1B9E928DAF721D316E3C88DC64FC,SHA256=DA159B3423CBB11F374DF0FD21D0EB4B5994E8612F6993B5143C0DD3F0E81BA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625667Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:52.547{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03DDAF1F43643C5515C1FC1B1D42D995,SHA256=6A8C2AA1A6AAA7DDA41E5D2E15822082ED3898412BE807A300285D31C5A7D309,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625666Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:52.156{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB7645F0ED3703795B27A94C1758DF66,SHA256=6785B59BCEC7E42F16D66E1DB4E7439861BAFB6EFAB400AD3754BE3DDBCCF30B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686232Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:48.630{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64454-false10.0.1.12-8000- 23542300x8000000000000000686231Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:53.066{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB9E5BB8AB609D3890E878111C871C79,SHA256=D8DB69891A65C955E73E54A71223975AE1A0D5B66D0D18B8CB5D50E51267283A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625668Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:53.187{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BC5C978DDD9525EFB71695F04E0AF7B,SHA256=9F15246C4D6BFFC51C5684E5ECF16E19F3749316D1AB6CA8AB4BC0F8C59F82C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686234Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:54.316{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67C6208DBAC298D873674EB78E02E688,SHA256=D5EAC73A5544EB5762848617167FB6CFAEF82BFAD57C94A7EAE412FEBCDCDE57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686233Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:54.113{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E72709CA638425BCE1BA42313B8F9D34,SHA256=420A77F25E660A7B8A11524A199D123684A80FFD05D2F6CFF107CC1CD17DAA86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625669Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:54.218{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D495F68D589186CA9F91E6D50F7018E9,SHA256=317E32BA07698CCDA8A0A48C68E5BDC0B9FCAB49AC49DF3A236B61E340D91BBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625672Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:52.955{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51727-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625671Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:55.218{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F93A589F1BCB3154A037259DA5BFA625,SHA256=AFAA0915A91F54736D400A79E583B0C7E00356A7939B116F32CF048D7B69110D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686236Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:55.425{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=097B547562C40593EA348825E6249DB9,SHA256=FDE3B9818103BB5C8680EA2A8D24411092C362B2A5FA58FDD4FB401B53AEDE1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686235Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:55.118{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A31D9CCE25E9C4319B746DEB1A411B0,SHA256=A451791AFC93641EB31CF00C9FA2DB7475EC05E0069238743A38114EF9D606F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625670Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:55.125{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D43440FCB06DF4FE28F3D3FDD393699,SHA256=C1EFA5BD11C43F8B0942046618D5F7D2C2575878C7AAC2F434F5160951D823CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625673Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:56.250{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDA72D0BC6281327823A4F76FD9C6BF1,SHA256=803D5577826B5E1CB33C4A802923A1F239620167C4C290DFE9E86AF7F431C676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686238Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:56.597{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2201FBF742F198BD88B64A558FB9B20,SHA256=E584915FE2E012C92BC1C194EECAFDE0D748A450E9A56774FCE69B3352F7A3E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686237Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:56.129{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B04DF3609710D079F4294159D93C1B25,SHA256=4938C28192A8DED3C7D97A7185F75881772680AD5D68AD0E81F82E38174EF59F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625674Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:57.265{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A056A7A3719F33778DB37F712D1786B6,SHA256=0B94A105B0655734A9E9B372C0467DE0FE123B167989265525910D348DBA8B0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686240Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:57.832{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E0AD8A653E5EE15D941EEBC2BF12089,SHA256=4BDE459DCCEEF435246F6F91F3EF4455B8052F28A044343D63066C181279512D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686239Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:57.129{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1C8135C42E808FBFDB20B3D1BDF3DEB,SHA256=45557B277A172C27A5D20F796AED56BE97F8242DAEAA7C512C3F68849DC7A49A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625675Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:58.281{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6E5D285AC89EAE234ED561D0F0301BF,SHA256=A73FE946CF3E1E8ABB04FE74186787F82484965D003B1D3EB209FD5865B2FF78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686241Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:58.144{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656887AE747A2041CE3F89FA503B2D58,SHA256=30A6A92AE3A7DC0B247A2347269D996C2B16B429D3B2EDAA8E9AE36F38E83855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686244Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:54.614{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64455-false10.0.1.12-8000- 23542300x8000000000000000686243Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:59.363{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D519F6D397DF45169AD2678BC7606FB,SHA256=9785437A3916B67E74A6F2750B718602D1515ACB0CF24B00CFAA61062C200814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686242Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:29:59.160{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D017443C60E4412B564D25F6BD21EF5,SHA256=F3D6E005964E4778B5C7AEA92CA4FDD9B7E31E5016B3140FC3BC93FC88225B5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625676Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:59.297{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DE3CC583619745457EB1205C3CABF80,SHA256=B619571B98E5848498320C8C35DB9E770FFE6737A281BBB3454F9CECEEEEE3D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625680Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:00.781{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625679Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:00.312{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13F86C12883F02228B8FDF6AC7401B64,SHA256=153AFD6481CC96F83A395D11C691D9B278BBDA06D6D2A1C24EB831D494095DE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686246Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:00.488{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11885EF1FDC536B2CD9E19943E8D8935,SHA256=513CB6FE0E96D7B37ED294B01FD5C2A6472D4416F875389A2553845ED9F78D08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686245Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:00.160{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8A5E0938C2506585D9372562C15846D,SHA256=E92E6F2516A7BA9D46CD2EF7E61D7BFC9B2F402B8789813464A794A10A57CFB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625678Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:00.140{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C383B1465C375EC2FCB8539EC6E46A4C,SHA256=E736D6123E083DA262FC3A19405AAC2B013F1EC4611DBFDE9202A948B27A93D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625677Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:00.140{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C9EBAF27D04F8C57B70258ED16805BE,SHA256=1E5F51E30ACE59AE2E92FA770066B0D125BFA93208484FFBCCF7CF498796E74D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625683Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:01.797{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C383B1465C375EC2FCB8539EC6E46A4C,SHA256=E736D6123E083DA262FC3A19405AAC2B013F1EC4611DBFDE9202A948B27A93D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625682Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:58.002{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51728-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625681Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:01.312{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E007FC10BF7161A9F885FDF9502E2C89,SHA256=E9C1D924891EF18858DB394BF241FAD70BF37DA3D3DF2D9C0D87D158E6ED2E46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686248Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:01.660{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A893CB284A96FFDAF171C3707961C98E,SHA256=484EEA699F76B48A9B15BEC7309AFC9DD81AA29EB09691C394A97F329C9ECDDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686247Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:01.175{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95901E24B550A65A1B88B0418853D2B9,SHA256=039578F3D86F7BCBC383336EE12ACD78C425BE4FA7ADEDF1A135DC9F175371E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625686Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:02.896{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6F114932F7A9567DB6353CCD6AF3B7FE,SHA256=C7BAFCBCD19F4030CBEFBA33D4DDC14C1089BF3DCFB34DA5613774221CAA6DD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625685Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:29:59.627{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51729-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000625684Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:02.328{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=583004863EAAD60B55241A4DBDBC3B89,SHA256=E7A0ED985ECD9E824304B84FF2BA17AA3C73C31708C3D5A7CF65EC2660271E7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686250Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:02.931{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA933885998D1F0AAC56850350CD6C0F,SHA256=BE744DC2264E1D3500A372F0AE37DABBEF7FF6E474438D5402C8D01586A60472,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686249Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:02.176{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34A2742A5169A0B1E0F6870D147DA933,SHA256=77A1EEE16FD5997319164ABA70E7B8265562B5ECE82F7B543BA3B61495C33D01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625687Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:03.349{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D905F297A43C23582F32CF5109CAB73,SHA256=54F5ACAAE63B33668322DA357B3146E3717ADD432AD4456B093CB0A4068BD0F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686252Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:03.822{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686251Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:03.181{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=575F5EEAD119A5FDE2B72B46C87DFDD4,SHA256=F6480C95759A0420CC36205E713CB0FA78103BAC52D4942B3D2BD827BA11299D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686254Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:04.197{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7FA24A131AD4103071806F3848F52C2,SHA256=8ABD255302828AFE718704DE3503EA9C7D8201153C6568F1428B179BA473E3E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686253Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:04.197{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=852C6BC85A355B50CBAD76BF796A3EB5,SHA256=2BD9D994C046B3F52FC0FFCDBDF2C6A3894B27843175C186ED9A6F2209F45F27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625688Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:04.396{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18DC47EF7DB84BECFA473A2E1FDD0D6C,SHA256=C1EE76F5069951ED12FF3D9C0F3FB291F67E175E2720E0358A8067DBEEA8E618,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625691Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:03.008{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51730-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625690Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:05.396{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A92058F23315614259F695D4756A57A2,SHA256=1A01CAA376FE2E4A2FA2216D203D13B7088932A886CF5B76BE477E6F2A6E549E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686258Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:05.541{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=234E2FC414DFF463F7E1AAC4228F0A5E,SHA256=A60E2A6D13E1135554AAFA57B14B6217F51180351036E63BD5FE4E2BB4F2F88A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686257Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:01.214{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64457-false10.0.1.12-8089- 354300x8000000000000000686256Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:00.589{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64456-false10.0.1.12-8000- 23542300x8000000000000000686255Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:05.212{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBECE0FA2469F0C8389282293EC9A90B,SHA256=B9CECF13BA13498D690037C9E9E67CDA23ED6C08B4159DFF1FB1C3FF713D31E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625689Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:05.162{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E37DDDE212CEE04E0183F3C4CF7099C6,SHA256=1A8B1E615D06EAF4B4E9D4ECEB5594F7D76A135E1A15719A0B69B6A8AB70B361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625692Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:06.412{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAA062F870E59ED51522C2DF6B5D6E3E,SHA256=58B44B356E0746A46070BF6150CA835B6309502FCCEBCB92F6D8A6EDD94092DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686260Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:06.650{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=793EE23D3C7E468E7574C10897CBDD72,SHA256=06EBE2F53D649251129FB476A6D0BD92FE00F69FCD0CA6AE60788F8673264897,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686259Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:06.228{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18126DED436A4409C6A50670BEAC0D19,SHA256=2FD4414AB02AD8D98FB525227360F0E7133C53146DD0A728EE4EB48809ECD575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625693Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:07.412{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=661D6E39A36DE3D340CA88809CF53F95,SHA256=D45C8C62595913C49D61AE6605F45AC4A598EF526A8E19390127CBF0DC4A1DDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686263Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:03.230{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local64458-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000686262Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:03.230{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local64458-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000686261Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:07.244{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2D67172936268C0CF54EF7333F0C831,SHA256=7673681C030D0944CCCCEAFEC637845E6E9E8F0A1C58A6587FA586544923AA13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625694Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:08.460{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D13B82D4321A60605949BC2F856CAB21,SHA256=B7A705983A7D0D618A13B6BDE397C8FF0B98FD97487B3F118AE423C9F50C9690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686265Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:08.244{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F12D324D471A9AEEC4C73A962E1FC01,SHA256=A458717D7B3FC96A9A4EC1A280456C0DAD9FF010DCBA849A15326F776859BC39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686264Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:08.009{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF2AEFB781E61EB96AC47F59766FDD49,SHA256=6E03DD5FAB7F48F59D35169F049AD99B0E6035BCD5F1442B9674E8E05D410A5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686267Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:09.259{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF4DCEB9284122EAB9EF63D4E17C54C3,SHA256=A5CA1F5F536B65EE9083E91F099F13D1E438080FBA3FD9697770C9949E113B58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625695Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:09.473{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0335DA3A531068F9634690DFA619B6CE,SHA256=1EE1BCDFEC36B26D9809BC8E0C0329BB617AC4881B33B41C849830D4A4FB63C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686266Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:09.134{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AEB189625E9199A768D8FC4B5CE4641,SHA256=F1269123E210897E1C649670A2A29FCAE4F92049AE18AF067F11059CBE4DE9E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686270Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:06.620{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64459-false10.0.1.12-8000- 23542300x8000000000000000686269Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:10.297{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8CF007C996B242DA632309B91862714,SHA256=9D26C625237CEEB6E9B68D3A6F162A30098B14566B740ECFA7D0433122CDD685,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686268Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:10.275{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D632A09BC475C55FF71B107FFC73C5C,SHA256=3172019617E325BFE7E74138F74C33DE179589B1D4A0491946A5398D05A509E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625699Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:08.024{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51731-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625698Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:10.475{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F887FD1A5102FCEE9503C53AE8F4B75,SHA256=98EA256A79D4CF2F34AE4D8D57836278C4FE86254669F8CBC2E20B5D03F2B45B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625697Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:10.176{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B129FF089673E6DE57A3D43CF269E427,SHA256=FF46D524555F0937A51923D29727157CDF0ACBF79939F9341C49639A470AA9C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625696Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:10.176{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8CB87EA7DE45A244434DB939A338AD5,SHA256=B20B19BC9012CA6686E910FD21A8F33A0D1BA425016DB8A34A190E3B092A2B1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625700Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:11.491{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12C80727687DF05E09A854508C420A8F,SHA256=A114D1022F6F788C6161A3DEDD9176B20F0A9F828E44D92F5A90BCC496939661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686272Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:11.556{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49F28594DF2113BD37E09F9608A7436E,SHA256=DB2FB2503CDB837D121812DA1C22D877EB9DE943B6F3AE9FDCAD6BF70BFE4C61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686271Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:11.291{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B079B64685AA0B5D77C06AFA6EAC07E,SHA256=B928EB43148392CDD90F871205C079A523CE7AF8B6791624E9792A33899CD9C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625701Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:12.507{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1076E55CA09B7691AB0120E56BF70108,SHA256=CA7887C6A37D853F292BF065240D49F92BEA1C544D573ED582B9686D0F6A6DF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686274Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:12.683{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4754FE881359918D1819A4075F30278,SHA256=A79AA600BF82B496C1EF98B3FA6AB1608D8A6F62DBE3D21F5747C8F24F97D951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686273Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:12.292{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3078695D9A62C700D570510FF3D20283,SHA256=0E3C65AA0D7F5794D8F840EA933A9D385BD5F539348B5BD0759F3F7FE27C9093,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625702Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:13.507{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58C4A184F1C77C13882E50BFFAA5362C,SHA256=B1A4ACBE4CC5721E73D5CC6F6ABBD63DC0714686A4C2D260EB73334347540712,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686292Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:13.961{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B09831E5162C91427DFB4C2DF262F50F,SHA256=F3C23133A5D463B725FDF7AF68D50A49B23310B91AA25CD40108B91A40A3289A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686291Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:13.899{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-0395-60B9-FA52-00000000C401}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686290Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:13.883{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686289Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:13.883{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686288Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:13.883{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-0395-60B9-FA52-00000000C401}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686287Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:13.883{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686286Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:13.883{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686285Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:13.883{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-0395-60B9-FA52-00000000C401}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000686284Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:13.884{D419E45B-0395-60B9-FA52-00000000C401}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000686283Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:13.305{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A538476E2BDBEA909E9D54442ACBD8CB,SHA256=61CA1A2D0C04F63721211C2EFCAD6A68090990A38E2E08D385F211FCB76E6445,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686282Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:13.211{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-0395-60B9-F952-00000000C401}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686281Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:13.211{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686280Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:13.211{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686279Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:13.211{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686278Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:13.211{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686277Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:13.211{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-0395-60B9-F952-00000000C401}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686276Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:13.211{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-0395-60B9-F952-00000000C401}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000686275Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:13.196{D419E45B-0395-60B9-F952-00000000C401}5328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625703Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:14.554{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF83D331BAB81DA29978D8E4020372BF,SHA256=EB70BB0B1B6DCF6795AE0F57B8B72EA747AF97A3AD3B1704C03F35EF99AB6046,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686302Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:14.560{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-0396-60B9-FB52-00000000C401}1292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686301Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:14.560{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686300Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:14.560{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686299Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:14.560{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686298Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:14.560{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686297Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:14.560{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-0396-60B9-FB52-00000000C401}1292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686296Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:14.560{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-0396-60B9-FB52-00000000C401}1292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000686295Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:14.546{D419E45B-0396-60B9-FB52-00000000C401}1292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000686294Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:14.310{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=849085CC3172BC09962F96A82F4503C8,SHA256=C8076CA17D9ABB55C584D632FC6AC753B1E88720307650D6B72548075C12A81B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686293Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:14.071{D419E45B-0395-60B9-FA52-00000000C401}54165024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000625704Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:15.569{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDD429A8FCCA7D04EABEC81D208CFBA6,SHA256=F483212828BAB98FEAC8E6D3AC64B64A28770CD506F21585A1A41EDEF5B96B0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686321Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:15.920{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-0397-60B9-FD52-00000000C401}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686320Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:15.904{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686319Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:15.904{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686318Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:15.904{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686317Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:15.904{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686316Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:15.904{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-0397-60B9-FD52-00000000C401}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686315Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:15.904{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-0397-60B9-FD52-00000000C401}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000686314Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:15.905{D419E45B-0397-60B9-FD52-00000000C401}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000686313Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:15.453{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48BD46EB832E550EE93116EFCFE256F6,SHA256=5B6D40C6D639AD24A721C4861CCB20EC307C2D66A109A1F8541504EBBC8241B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686312Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:15.388{D419E45B-0397-60B9-FC52-00000000C401}7161180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686311Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:15.248{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-0397-60B9-FC52-00000000C401}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686310Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:15.232{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686309Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:15.232{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686308Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:15.232{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686307Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:15.232{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686306Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:15.232{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-0397-60B9-FC52-00000000C401}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686305Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:15.232{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-0397-60B9-FC52-00000000C401}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000686304Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:15.233{D419E45B-0397-60B9-FC52-00000000C401}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000686303Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:15.138{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5789C1B495A53997C17A250FBAD9E8ED,SHA256=A0731A89F6DE36D558B426E620484CA9E7116EDD32E1D20D1399176CC2C54BB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625707Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:16.585{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CAF64E6292D471068977F6A42BEA0F7,SHA256=261B41710BF921DF09DBF18EE7874BA2ED8ECCFB37F5A0EE38ECFD2B4F473C2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686334Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:12.592{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64460-false10.0.1.12-8000- 10341000x8000000000000000686333Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:16.795{D419E45B-0398-60B9-FE52-00000000C401}49482112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000686332Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:16.591{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D2BCBFA9F4234A2BBE25E727CFC6AB,SHA256=33BDC80105F0796F941A6D938D2B3D28E8EDD70A0AC0DB0F7D2A5B98630E91D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686331Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:16.591{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-0398-60B9-FE52-00000000C401}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686330Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:16.576{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686329Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:16.576{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686328Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:16.576{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686327Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:16.576{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686326Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:16.576{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-0398-60B9-FE52-00000000C401}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686325Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:16.576{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-0398-60B9-FE52-00000000C401}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000686324Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:16.577{D419E45B-0398-60B9-FE52-00000000C401}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625706Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:16.179{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3855F82F89F5EED2E8D1ED55482235F,SHA256=662D7C39754F41DBFDC944E0B45D5CA338140BB67E87C317858E5A13C3928A41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625705Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:16.179{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B129FF089673E6DE57A3D43CF269E427,SHA256=FF46D524555F0937A51923D29727157CDF0ACBF79939F9341C49639A470AA9C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686323Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:16.295{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67F7F9CC31D8DE9C87F23A2A64492271,SHA256=48BEC5AADC1C3F88887CC8C2A3B5B582BBEB2B44E5E114D1826DAFE8A4FF37D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686322Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:16.107{D419E45B-0397-60B9-FD52-00000000C401}26286888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000625709Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:17.585{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0A7094C615315D483CCEA9BA6F2107E,SHA256=3BDB0E43CC3D117AC35E835FFF5A1F400D0B04810BF2CB3D1716E8329EF97C33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686344Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:17.732{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96555BF1E0E1529CAB3BE8DDA2E11E5D,SHA256=C2990FDD32F1ABC245B30AA928CE158FA344409473BC3F9CD45C247AF1111AC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686343Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:17.732{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7412E7056F0F530757D243BE32E39F5B,SHA256=D76859C3011D300DC5CB63A2AA26598C2FB3DE46AC07B252709A8E8AA9471AC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625708Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:14.025{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51732-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000686342Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:17.076{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-0399-60B9-FF52-00000000C401}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686341Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:17.076{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686340Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:17.076{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686339Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:17.076{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686338Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:17.076{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686337Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:17.076{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-0399-60B9-FF52-00000000C401}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686336Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:17.076{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-0399-60B9-FF52-00000000C401}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000686335Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:17.077{D419E45B-0399-60B9-FF52-00000000C401}432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625710Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:18.585{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3F7128CC0896D90F0DA4A72E8F577A6,SHA256=932F2B254DE212F7024B6A2351D6517D14C919C1018A0A13B5BB178346C42692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686346Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:18.873{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79A15FD96C1E6DF588F4A3E97923F5A1,SHA256=3E227CF80BF6B0ACA0601A94DA759C438E4EE53398AFA67A8D7DE53382B26790,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686345Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:18.779{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37C77A741C641A47AD515FBB823ED4F4,SHA256=65E3DE77193E5B1953A6247C00FC7E614BCD89F938DB946B5DC71F8AC1886530,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686347Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:19.795{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E848B7C3FABDC5CD74E362F91DF9314,SHA256=BE9A90167190D10E16A77F163CC2A27AA535708ECC63AE0BD319D051D2737E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625711Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:19.601{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE6C449CB14B09DE224E28536A7D05C6,SHA256=96048C0403EFED37C1711BB01CEFA44FA60994D3A36DE8212AE513E03C6EE308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686349Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:20.810{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D2711508FAA0D7FC8C43E97AF39D215,SHA256=14D1B809B99998D55CAFF3E7B71703C5FE6B7B85BAC6F48A41ED1EFA3E56E033,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625712Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:20.616{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95A8B5E294E964576A2ECC1DC2999D5C,SHA256=3038B70E6F791A493BF078B620638C1FAE0F2645258630920613C8C3328B35B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686348Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:20.013{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D093DD76F9CCD9181CEF23F13E6B995,SHA256=16CFB26050890B89528DDA94AC363671E946C630C71FBFA65C231B6C2893EC7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686351Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:21.826{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FADAE7C45051A2634E0E7E0F13736D5,SHA256=2F301DA2CB34BB860440F7CCC934109224D8224C1FD733AD77EFCA4451B4FB79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625713Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:21.632{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04C9DC537FEB04D9824E277A967C3A6E,SHA256=82F9719E01FA1D96F6CA86B77196E613D9FFBDB684FEE711F9802520BAE98F04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686350Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:21.154{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=693500183A588DFF77FDF46F9BFEFF23,SHA256=FD1A38786D7BD5D636AE7E505C15FDED608D65F1B3415732E879A19B58FF7EB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686372Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:22.908{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4DAB0E0F50C82569161A604B720B604,SHA256=668898B149208A0FA068CF554771A5E8E3C4F3A046A69638DBACB844736FFD30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625716Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:22.638{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B838F5A90754F2B804D92B5E8B5B1BD,SHA256=295F71220A48D3311C606181AF04A00B30C30EC2BDE9E91F88EB779FAC35815D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686371Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:22.341{D419E45B-039E-60B9-0053-00000000C401}6840ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686370Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:22.341{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EA37CD66254847EA8CC1B5C32489FB1B,SHA256=D0276322F9307D70F6EC5F48DC0EF6A5CAB2B5BBA1FBE873B5E462D15EEAA862,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686369Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:22.279{D419E45B-7530-60B6-1600-00000000C401}12685808C:\Windows\System32\svchost.exe{D419E45B-039E-60B9-0053-00000000C401}6840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686368Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:22.279{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-039E-60B9-0053-00000000C401}6840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686367Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:22.216{D419E45B-752D-60B6-0B00-00000000C401}6322800C:\Windows\system32\lsass.exe{D419E45B-039E-60B9-0053-00000000C401}6840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686366Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:22.216{D419E45B-752D-60B6-0B00-00000000C401}6322800C:\Windows\system32\lsass.exe{D419E45B-039E-60B9-0053-00000000C401}6840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000686365Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-CreatePipe2021-06-03 16:30:22.185{D419E45B-039E-60B9-0053-00000000C401}6840\PSHost.132672114220835649.6840.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000686364Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:22.170{D419E45B-039E-60B9-0053-00000000C401}6840ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_g0hehozd.ual.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686363Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:22.170{D419E45B-039E-60B9-0053-00000000C401}6840ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_k1alnkdu.3nq.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000686362Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:22.154{D419E45B-039E-60B9-0053-00000000C401}6840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_k1alnkdu.3nq.ps12021-06-03 16:30:22.154 23542300x8000000000000000686361Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:22.123{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=668E0500073C85A1869BB76FC3802C62,SHA256=EEC1D64803F1AAF59C498A5080E8BAFBE12A61D9F408440FB3A2FED7F26B7240,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686360Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:22.123{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-039E-60B9-0053-00000000C401}6840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686359Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:22.076{D419E45B-0167-60B9-A952-00000000C401}70324392C:\Windows\system32\conhost.exe{D419E45B-039E-60B9-0053-00000000C401}6840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686358Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:22.076{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686357Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:22.076{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686356Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:22.076{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686355Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:22.076{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686354Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:22.076{D419E45B-78A0-60B6-AD02-00000000C401}2284924C:\Windows\system32\csrss.exe{D419E45B-039E-60B9-0053-00000000C401}6840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686353Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:22.076{D419E45B-0167-60B9-A852-00000000C401}3527024C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-039E-60B9-0053-00000000C401}6840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11e38184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d83546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1126802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112cba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112adaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112adaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ad93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1129e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112abb9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d83546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11290363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1128f8d5(wow64) 154100x8000000000000000686352Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:22.083{D419E45B-039E-60B9-0053-00000000C401}6840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" import-module C:\temp\AzureHound.ps1C:\Users\Administrator\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000625715Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:22.388{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1597E55B962F2D2A2CE06A9FB927536A,SHA256=E9F732F92CF7B9C6E36F4B3850A7A10C57600556D5184352ECA04B1C541ECB3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625714Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:22.388{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3855F82F89F5EED2E8D1ED55482235F,SHA256=662D7C39754F41DBFDC944E0B45D5CA338140BB67E87C317858E5A13C3928A41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625718Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:23.638{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52E457DF9DC572C654F2387EEDCD0E26,SHA256=686AD7CACD6C1C70346ED56EEB04105FA1139CD0F3ECDFAECAD3A1CE815321CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686376Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:23.909{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC4F5304F93C15DD6E3071065B7D0B35,SHA256=9C818471B1EE3EAA6D64343EDD9DC048AE213F7B7E066C8E4FE67CD0A2E99AA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686375Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:23.471{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3521F50535D7A9D0D34649DCC203500A,SHA256=B27533E5352D5B797A5B17D37C7368D05C60D9A364AC9B091E8855F49462164E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686374Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:18.498{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64461-false10.0.1.12-8000- 23542300x8000000000000000686373Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:23.096{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=32B6FB72460B5BB0EBC5B404633D7EC5,SHA256=7DE1F1CE8D6B93CAA20787B6777C78664F64620BEBBD821E99DC82662B79277C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625717Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:20.071{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51733-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625719Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:24.654{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A190255B28C0EBF9870E8221FAC9B89,SHA256=5C9797AD539716429D60DADA665DC6AA8F641C861574A75A329805DC7A9EC13B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686378Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:24.924{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57ECC0BC675078CB1DE59C73FA8074ED,SHA256=D4BA8D3D261380A6E3009D87AF4A52529CD09D87988470F8CA2C0B8593038B38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686377Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:24.721{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E99CC61A9C92FE3ABD3C0C1ACEDA1B50,SHA256=7CD6E58FBAA936042EF4D6507391B7303C1F3160A646BA613DB097E631ECDBEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625720Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:25.670{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E572A09D911D5DE165BD7CE230DAC1B,SHA256=8A01A0FE52298DACB07D87618A7CE0F7F643B723A144E84FF221BBE838751544,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686379Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:25.768{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEAB8E9232A93DF599485C7DE75D2ECC,SHA256=B3797C807589CFCC4084F60C10BB99F5B7555FE614F4C9B5199727F444C73FC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625721Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:26.701{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74FC727AC61DB03F2988DDB2C8C34492,SHA256=017A6AC1B188F39F17CF89516D22B4426CAC82425BADE7A148021C97992C88BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686380Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:26.080{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFE997F2258833DC88612AB247872A5E,SHA256=F04C7230585A0EAA6E84A743F777668241AF745E84C2F1ABCC71C973254675C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625723Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:27.732{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E9195E7B0D61A2534D793397E8DAF64,SHA256=B0F7932ACC5968FB9B0ADA0C6E86AEEAC39ADBB9CC5D0C521F6D1592B25C3DDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686382Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:27.315{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=956E088733250AF6FF24089B24B2F4B6,SHA256=71CB8DA928D9E1184AE74F1AE667ECBF31A253F1E4FA64DA315240351E83BCEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625722Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:27.248{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1597E55B962F2D2A2CE06A9FB927536A,SHA256=E9F732F92CF7B9C6E36F4B3850A7A10C57600556D5184352ECA04B1C541ECB3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686381Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:27.205{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E91C6D8B3DFD820AD1CE96B27DB9A948,SHA256=C7731950E1DE998E859083B091BC5C237D499FA62211B973301A573BDB176564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625725Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:28.732{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1932E600B13341992559EBA528AD1144,SHA256=9F11265C2DA0338AA8DE1B49ABC898D5FB6BA000A1420707CC9B4D8342A503E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686385Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:28.330{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E177D97986B53CFAE6F1726BCABCF314,SHA256=1265C32EE21678383C677F7724DA6085335B1DF0B0E4D280AE56E297CC970931,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625724Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:25.094{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51734-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000686384Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:28.236{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9575DEACABD8782E7DF4AA1C3BCA9ACC,SHA256=E2BE9E05739C3F981528EB316F999C13CB9F45A867940ACC6F686AFBF589EEEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686383Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:23.612{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64462-false10.0.1.12-8000- 23542300x8000000000000000625727Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:29.748{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833E0B810A5BCA2CD520FD6FFFD1B1A1,SHA256=C80FC5C52273D4D63E2B50AD4B139469BA111BBD7527B49844C835756827E370,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686387Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:29.533{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9ED152819AF9A12B5F69C7287053786D,SHA256=E29F42FB003C257F40EB7358ACFB721A91E450BF7E96726A2B036F7486B68DC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686386Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:29.346{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3D493309639765A6F934E2895F1FF15,SHA256=44E54885635A6810FE9D44AD467594AE75454BD80EED095600FC13B0341AD13B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625726Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:29.435{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF9f4b4c0.TMPMD5=50C3F57E9B17DAD0DB73AD4F64FDB6ED,SHA256=86D53DA9ECE564538A00B5F8E963CD8B3B67CB52F8A489C6BC9DE193528D6A7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625731Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:30.748{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4FFE064B922BC107D2E7343FFF2346CB,SHA256=50DC99F5E02D5F9A5074C19EE4E654753DA2553F57DB5185916DEB6F20DCA3EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625730Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:30.748{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DB8C6E2964F29C7E10AFFD93A58E4E33,SHA256=AA05839BF4F1068AFF0C37018678A189CE62971B9A7DA02CF1C8044B8FC686C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625729Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:30.748{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F87CA1BCA8C0BFA5802E7758B7D2467,SHA256=6B6BF90F6837171CFE0E781948443EC5EEA2151D41005827F32D5390A7A7030D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686389Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:30.658{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D5FE6885CDCAD61B8D984004EB19491,SHA256=AE4B725B516A0EB977D3A3262116BF3F5DE4F3F08BE60967AC1676E7A9D7DF3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686388Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:30.361{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFC0D2CCE0CA26F9B2BEB9FA6E613703,SHA256=9D8440FFDE71199F48FC34FFA43D0382507D7E2585878DCC050AF379F385552B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625728Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:30.435{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90D682233CBE1CC5D65380C1E7B29C49,SHA256=0456BA3FFCEBE5DD42C97F038AE6CC27D962B060E445D3DC2F146D4F768006C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625732Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:31.748{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25FD0CB4A03CCBAEFC17634FFA8BE3E6,SHA256=BCBE1BF3C07B81953DD4C47343175434647512A55262B55A10BC9E859227E1AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686391Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:31.783{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17C26E65D808F9C5B8626F23446D9AE3,SHA256=C56CEA0034A03B28D56AFFC542BFA85E6033D27ADF34A357A170ACD1FD5E74C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686390Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:31.377{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F27940196669B6DAF24E6758EFC8124,SHA256=C946CACCA25E630E2CF6593FDB7035B2904C50246F11EAA5604E91E55AE5CC42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625733Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:32.795{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B02EB375BFE4A93A4A244E8B4689222,SHA256=3F3D8DA9517FA72464A911175303307C5150DF8784A51C0965A1D40110851AD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686393Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:32.830{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=74D2D6061E16358D89E1C84DCEE1F4FE,SHA256=F96D39580B2DBF31653C92824B46E89E8A34331966F62B0F4FE1ACDE1AA57BA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686392Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:32.393{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=945A532A201B61CD755ECCD78C1EC1C6,SHA256=3868B38C410C4EF490772EC15077783DED5E5DD1B5DD03DFA2AF96BF2D8F5912,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625735Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:33.795{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E75C5F39E04215D2F7478F8108086451,SHA256=27008B3EEE266C2D682FF7C6EDBAE848E008E71926C17F1DC92FDC11FEAFDFDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686395Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:33.424{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDAF51C11418C67F454E718DF5D9D8D8,SHA256=1AD5AB832289ECCB60DE3A57F3D2AD5C59E8AFE04A93D5952CD33EF852A3E875,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625734Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:33.107{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A489007E2591C9D180913A8C297A54A7,SHA256=9D392BCAD14C24780C303AA6979E60973BCAF3DA67CBC6DCEC7E219BB941404B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686394Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:33.080{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24B996199D2D19AD6502EDE48D3A93A6,SHA256=F62C618BA1C71F928F610ECD9662013C2C73F5041A21EC6E20F1105811D315ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625737Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:34.795{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5A375445FC9F4B2B3D24B7F79434606,SHA256=F4A0B76CAEEE910EBBAD66B8116DDA6F2190EB81A96863A312BC9153884AC8F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686398Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:34.471{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=736290B0C990E8ED63933E1B9723916F,SHA256=0B8730710D9127BE6484B7C51B074C774010CBC78584346056AD881AF6337031,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625736Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:30.969{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51735-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000686397Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:34.299{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D6F99F08E3F0E2D3C47D08F649C46F1,SHA256=06091883B2230EBFE3A099A652E49BF7014965E1DE6D5CD8DAF8B6A48B457AD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686396Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:29.565{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64463-false10.0.1.12-8000- 23542300x8000000000000000625738Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:35.795{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E17D9766AA0065376FBB5813EB75E2A,SHA256=15B6B16D19179DC24890A67FEAED5FCF1F865160202EECF42D292EEB067BDB1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686400Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:35.643{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCF97C6036D436B7B92BFDB3050CFFB3,SHA256=C0573E9EB36C5E46982F8FB00E46DF32251638EFAB546B0B4F42520BD408C129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686399Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:35.486{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CAB21FDC3AA4AAE7F16B4A59E4042A4,SHA256=EAB82BE12D80D72D85C8F309C0C035B9D822A4125FEC58A1D10E5357912C4B7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625739Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:36.795{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFE99DD14D50AD8B42A6C57E56282D9A,SHA256=5844443564AC2D440AC25653AD79667B13807EB5289C15D481B4C4AC2F57FFF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686402Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:36.799{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12D3FA589A0E48C3CD474EE57787C6CD,SHA256=65710BB6AF253C89E70DB00EDF0360222E069E8BDFC7FEECD92172B30226B10A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686401Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:36.486{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20C9F9DF85995807B28C21902F110E42,SHA256=6B382C6E33E772608B2BD5A36FF8A48DE217EF67C3E8BF72CEBA299578F46F90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625740Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:37.810{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06BEEF9CE942EF3ECBBF19BDD22030D8,SHA256=C518F7E07B3CB11004A3C0BB1F218DDF75440B044827B92922A44EDB702F257B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686404Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:37.955{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6600EC124B64F977DB4AC692FB2A081,SHA256=B706476EAC5831EFE3D0D9EA552578E1C16DC2430E0C6AEDAD495181780C37B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686403Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:37.502{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82C50BFEC1E3160A20A947680CB2393F,SHA256=06CBE8971F0C0118868622CC339A13BBD7B35647BFF18AAE293B07684A6CBEFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625744Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:38.842{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6F8551848C9973DBE1A920E65E1358A,SHA256=05149FD9C1EE188FF1BEECECD5B0F0745AEF070F1496AC87F5A7A58742864794,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686423Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:38.940{D419E45B-03AE-60B9-0153-00000000C401}3540ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686422Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:38.721{D419E45B-7530-60B6-1600-00000000C401}12685808C:\Windows\System32\svchost.exe{D419E45B-03AE-60B9-0153-00000000C401}3540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686421Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:38.721{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-03AE-60B9-0153-00000000C401}3540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686420Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:38.643{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-03AE-60B9-0153-00000000C401}3540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686419Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:38.643{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-03AE-60B9-0153-00000000C401}3540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000686418Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-CreatePipe2021-06-03 16:30:38.611{D419E45B-03AE-60B9-0153-00000000C401}3540\PSHost.132672114385049502.3540.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000686417Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:38.596{D419E45B-03AE-60B9-0153-00000000C401}3540ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_imaxlpu4.1cb.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686416Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:38.596{D419E45B-03AE-60B9-0153-00000000C401}3540ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_3hxuacnd.hg1.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000686415Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:38.565{D419E45B-03AE-60B9-0153-00000000C401}3540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_3hxuacnd.hg1.ps12021-06-03 16:30:38.565 10341000x8000000000000000686414Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:38.549{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-03AE-60B9-0153-00000000C401}3540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000686413Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:38.518{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3FA7AECAEC77C8F94AF88AF4F1966FF,SHA256=C3B94335B14550D9EC6E701CCE1FC3289CE45DDD0B467CDFF2F47D4313B702CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625743Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:36.078{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51736-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625742Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:38.373{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5CD35C4306697AC85982033162F3E0D,SHA256=EFFFD399AE7B5D9297CE529DF5EFE5FA3BD58534E855E090EF14EC0B10F75AD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625741Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:38.373{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20502C65059ED985AF3F981720799F6E,SHA256=6599AAA9E77CFD251ABD989B40FB569BEA11807CB624DD1A925C2289235A5239,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686412Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:38.502{D419E45B-0167-60B9-A952-00000000C401}70324392C:\Windows\system32\conhost.exe{D419E45B-03AE-60B9-0153-00000000C401}3540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686411Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:38.502{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686410Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:38.502{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686409Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:38.502{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686408Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:38.502{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686407Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:38.502{D419E45B-78A0-60B6-AD02-00000000C401}22841824C:\Windows\system32\csrss.exe{D419E45B-03AE-60B9-0153-00000000C401}3540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686406Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:38.502{D419E45B-0167-60B9-A852-00000000C401}3527024C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-03AE-60B9-0153-00000000C401}3540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11e38184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d83546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1126802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112cba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112adaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112adaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ad93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1129e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112abb9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d83546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11290363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1128f8d5(wow64) 154100x8000000000000000686405Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:38.504{D419E45B-03AE-60B9-0153-00000000C401}3540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Invoke-AzureHoundC:\Users\Administrator\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000625745Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:39.873{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=356F1445A56AB2EDD2BDBCF63B4473A0,SHA256=47A501417D3F675AA671E0703851149D42B306F184ED26617411B104C6AD02F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686427Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:39.533{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38B0B0B8D93A825C5A8CC594598F9927,SHA256=01B8744887DA87DA3D11AF103DEE459713E34FC3883B665EA6D0163644950EF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686426Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:39.518{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CF2E4F05BEFC31D7E75B9E36DA0E47E6,SHA256=025A43517A3E589B92B82329148F9293D415FD08C3F288944F70F2AB2285D402,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686425Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:35.471{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64464-false10.0.1.12-8000- 23542300x8000000000000000686424Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:39.033{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B28982DEA3842FF4F1A434C0C94B3BB5,SHA256=D72B9A08746A3AAB589F27B45ED12664499A550BB88215A6E43E81C259BE6493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625746Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:40.873{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A77B3E141682BDFD8AE72A8AE597C84,SHA256=066DE2D23BDE45DC2A157239AEC7295BB12C59B98FB07EE00D250646B6475052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686429Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:40.690{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=011B162E0971C2C6E79323EF729C1A02,SHA256=A970CC4A9C9599354B9BDDF47414A889650783FD9E56897E9493B35DF0C2EE5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686428Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:40.690{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A8C0E2BC6E1CDDE4C302834DD558BCA,SHA256=A6C88894706FE4B29E4CA7A4985D7E765B615A69791BC473AEA9E19D8E9ABC9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625747Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:41.873{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71C0AFFEA4535B189302CCB4CC5C05CB,SHA256=C8FE7111798DBBD0C6C4802CC20B3BC50F55DAB2D58C1C5CBD6A754C9A638BD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686431Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:41.924{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D56116FF46A14D554007F8B7258692DD,SHA256=A739E8238EA5B64304A79582BF64CDF59630BFE7977A5FE6818F6E532A96D0A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686430Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:41.705{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F638CAF3342E08684BDA2E504C45DA84,SHA256=822AD40BC17A45031309F7717E03B20D5A5DEEA851AD221C9E0E4AB12FC82ED6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625748Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:42.876{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E344716F659671BA8A69606C4F3DD3B1,SHA256=A555DE18D3D6119CA1BBF0F1D1D1E61E7FB07B1ADCDE9B5DACE1832A66184C36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686433Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:42.942{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D10862C1D794F510D29EAD631179E15,SHA256=4016CBB0DDEE4BC42AF44C07F0F232F6DBAE88EF2FE99FD904A92DE1606A65DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686432Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:42.708{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA5DE390979D19D2449F693645C3CE88,SHA256=0DC491C6F9D8100C8EFFC3EE340B09AE6B23E522C83E7015C024B002200115F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625749Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:43.892{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43B8763D03B969BA5E79884CCCF07F01,SHA256=87BAECAB3E5D483669B2ACEDF59EA3553DA80A02248E3FF69CD5AD91704EB10A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686434Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:43.724{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77E4170B90C0B4976E0CC07C7189732A,SHA256=3BD2B84398A218115F82327FF48BB1BAD05716D4A89A10A2020AE988E759B036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625753Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:44.907{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2004C2F307A3871219F41F2625115C87,SHA256=EFA69150D84A876CD0DAF34561D0F56EE19034477CACA7CA695A61C23FB1B3B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686437Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:44.770{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=698704FFC1EA1DB9E2C524217837F452,SHA256=A5DEE0A443EE97F939A65D2A802FCA1BD703FE6DD48484CFAFC23DCE9D8DD0A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625752Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:42.050{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51737-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625751Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:44.204{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CAF9396824DDE93AED60A22CADA40C4,SHA256=9FF7E67A1DEB1198A04F7D165C72668F1873EA0070E7B4724F462D7FD7E972F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625750Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:44.204{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5CD35C4306697AC85982033162F3E0D,SHA256=EFFFD399AE7B5D9297CE529DF5EFE5FA3BD58534E855E090EF14EC0B10F75AD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686436Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:40.537{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64465-false10.0.1.12-8000- 23542300x8000000000000000686435Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:44.099{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1980D298FAF2B4E5E5B56916B275C890,SHA256=CE719F05FF6B7A72018B8C29785840B7B3C5368220CE51AB1F17C10EF7D39907,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625754Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:45.907{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E6CA908D03FFED1F14BB8B8316BA7DD,SHA256=CC94FD208905C0F404E98BB177AC41955539B8B25A34E8B986170C4DB3C52710,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686439Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:45.786{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A2C0DA162757F647738CBFC757510FF,SHA256=C8DF0E8602DB38B8B026519B74A01A41AE2D6FEEDC486A25D0E66EB2BD1EC2FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686438Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:45.239{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50AB7E4B37131827A4588409CEBA9E3F,SHA256=2CAD305EE53FD456058DA92A1ABE5BDAC18CDADE655D2E7852CDE052D2A78452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625755Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:46.923{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE6EC894AA424315D63755B0F5E2EE6,SHA256=A3599F4C696AD599C74946CFECFFE5AE9364F7C262C340B9876634C705778BC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686441Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:46.817{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DDB2FA3E5729EE9EFCEFD214806F72C,SHA256=D221A4DD59B6452CD84D4032721B93DCDE72916837510496FFDD6BF8E71296A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686440Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:46.474{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=156FC915B8068320B04404A2A7357552,SHA256=3C9F6A2093C373A2380A45FD9992ECBC797E159EFBCD3EA8EF5B21DABEBAF8E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686443Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:47.974{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74FBCD4B6F660F072839D99F1639F803,SHA256=038D8C298421562D05C9A63D33F0922A77D2BEC26688CC4B6EDBD69A6B015E82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686442Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:47.849{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=470CDF867F4EEEA0E3829EFD7A1FB541,SHA256=7F698EB6D16D3C30695D532EB02B45BB369CB7948ABF2A2E983320A882C3319D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625765Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:47.954{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=503FC292AECECE9FB554669D9B664E88,SHA256=82187F6A80632103186B66A484B002CC64AFF96DC5121F3375B8312C6E147A9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000625764Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:47.829{97C2ED32-03B7-60B9-675D-00000000C501}22164616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625763Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:47.704{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-03B7-60B9-675D-00000000C501}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625762Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:47.704{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-03B7-60B9-675D-00000000C501}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625761Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:47.704{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625760Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:47.704{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625759Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:47.704{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625758Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:47.704{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625757Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:47.704{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-03B7-60B9-675D-00000000C501}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625756Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:47.705{97C2ED32-03B7-60B9-675D-00000000C501}2216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625784Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:48.985{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFB601EEAE464CB1A1E33FBF8951D20A,SHA256=07BE225D5A0B2157DA30B5E91BA091D38861F0E5E8E29ECA582317A031F8B5D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686469Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:48.599{D419E45B-03B8-60B9-0353-00000000C401}3208ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686468Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:48.364{D419E45B-7530-60B6-1600-00000000C401}12685808C:\Windows\System32\svchost.exe{D419E45B-03B8-60B9-0353-00000000C401}3208C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686467Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:48.364{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-03B8-60B9-0353-00000000C401}3208C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686466Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:48.317{D419E45B-752D-60B6-0B00-00000000C401}6322800C:\Windows\system32\lsass.exe{D419E45B-03B8-60B9-0353-00000000C401}3208C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686465Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:48.317{D419E45B-752D-60B6-0B00-00000000C401}6322800C:\Windows\system32\lsass.exe{D419E45B-03B8-60B9-0353-00000000C401}3208C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000686464Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-CreatePipe2021-06-03 16:30:48.302{D419E45B-03B8-60B9-0353-00000000C401}3208\PSHost.132672114481956287.3208.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000686463Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:48.286{D419E45B-03B8-60B9-0353-00000000C401}3208ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_lqa2zn5e.bzt.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686462Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:48.286{D419E45B-03B8-60B9-0353-00000000C401}3208ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_gnjj4t44.qii.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000686461Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:48.255{D419E45B-03B8-60B9-0353-00000000C401}3208C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_gnjj4t44.qii.ps12021-06-03 16:30:48.255 10341000x8000000000000000686460Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:48.224{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-03B8-60B9-0353-00000000C401}3208C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686459Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:48.192{D419E45B-0167-60B9-A952-00000000C401}70324392C:\Windows\system32\conhost.exe{D419E45B-03B8-60B9-0353-00000000C401}3208C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686458Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:48.192{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686457Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:48.192{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686456Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:48.192{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686455Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:48.192{D419E45B-78A0-60B6-AD02-00000000C401}2284924C:\Windows\system32\csrss.exe{D419E45B-03B8-60B9-0353-00000000C401}3208C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686454Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:48.192{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686453Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:48.192{D419E45B-03B8-60B9-0253-00000000C401}20645416C:\Windows\system32\cmd.exe{D419E45B-03B8-60B9-0353-00000000C401}3208C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000686452Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:48.195{D419E45B-03B8-60B9-0353-00000000C401}3208C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe Invoke-AzureHoundC:\Users\Administrator\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D419E45B-03B8-60B9-0253-00000000C401}2064C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe Invoke-AzureHound 10341000x8000000000000000686451Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:48.177{D419E45B-0167-60B9-A952-00000000C401}70324392C:\Windows\system32\conhost.exe{D419E45B-03B8-60B9-0253-00000000C401}2064C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686450Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:48.177{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686449Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:48.177{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686448Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:48.177{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686447Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:48.177{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686446Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:48.177{D419E45B-78A0-60B6-AD02-00000000C401}22841824C:\Windows\system32\csrss.exe{D419E45B-03B8-60B9-0253-00000000C401}2064C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686445Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:48.177{D419E45B-0167-60B9-A852-00000000C401}3527024C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-03B8-60B9-0253-00000000C401}2064C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11e38184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d83546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1126802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112cba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112adaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112adaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ad93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1129e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112abb9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d83546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11290363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1128f8d5(wow64) 154100x8000000000000000686444Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:48.189{D419E45B-03B8-60B9-0253-00000000C401}2064C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c powershell.exe Invoke-AzureHoundC:\Users\Administrator\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x8000000000000000625783Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:48.907{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-03B8-60B9-695D-00000000C501}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625782Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:48.907{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625781Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:48.907{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625780Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:48.907{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625779Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:48.907{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-03B8-60B9-695D-00000000C501}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625778Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:48.907{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625777Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:48.892{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-03B8-60B9-695D-00000000C501}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625776Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:48.892{97C2ED32-03B8-60B9-695D-00000000C501}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625775Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:48.751{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CAF9396824DDE93AED60A22CADA40C4,SHA256=9FF7E67A1DEB1198A04F7D165C72668F1873EA0070E7B4724F462D7FD7E972F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000625774Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:48.391{97C2ED32-03B8-60B9-685D-00000000C501}29684456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625773Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:48.267{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-03B8-60B9-685D-00000000C501}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625772Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:48.267{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625771Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:48.267{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625770Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:48.267{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625769Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:48.267{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625768Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:48.267{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-03B8-60B9-685D-00000000C501}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625767Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:48.267{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-03B8-60B9-685D-00000000C501}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625766Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:48.268{97C2ED32-03B8-60B9-685D-00000000C501}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000686472Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:49.239{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3A9B6C448C861BA9E2FB0030440F4A7C,SHA256=F3C958A2C51D6D20CB6E2A983C5CB5E00F7C13F1004BD89ADBD2BB51C76FF5AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686471Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:49.239{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D26011B2CFC366C79D8B306FB22475E,SHA256=D6C3DF714A29CFB5265C2DFC320498D40BFF321A90734A68BDA84233F61DAC2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686470Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:49.239{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D5DA85A75949D69972A71661FBFE91,SHA256=E8B2079D478294E0AF46D6F4350B2FF2B65F71FB31588CB31B773F568451BDED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625794Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:49.907{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C8475D7B44B45474F516B2154125C94,SHA256=A38454F88777B25BDCB923D0C4FECEBF35C7E60A28E27A96421EF0066F971C36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000625793Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:49.579{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-03B9-60B9-6A5D-00000000C501}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625792Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:49.579{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625791Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:49.579{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625790Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:49.579{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625789Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:49.579{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625788Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:49.579{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-03B9-60B9-6A5D-00000000C501}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625787Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:49.579{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-03B9-60B9-6A5D-00000000C501}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625786Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:49.580{97C2ED32-03B9-60B9-6A5D-00000000C501}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000625785Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:47.066{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51738-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000686475Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:46.552{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64466-false10.0.1.12-8000- 23542300x8000000000000000686474Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:50.380{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93EDB8B8283762577D6EF3B73A2ECA2F,SHA256=15B8E24FF76473758C6EB097FA569F4C2DCD0768E530AB385E87355721C04F45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686473Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:50.255{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=658031202AE366D083E148C8C26D453A,SHA256=8450E691AD5D7B425CBCCB5F30703A8C1650081DE32F78E277F37BBA8672BD9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000625812Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:50.845{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-03BA-60B9-6C5D-00000000C501}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625811Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:50.845{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625810Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:50.845{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625809Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:50.845{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625808Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:50.845{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625807Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:50.845{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-03BA-60B9-6C5D-00000000C501}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625806Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:50.845{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-03BA-60B9-6C5D-00000000C501}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625805Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:50.845{97C2ED32-03BA-60B9-6C5D-00000000C501}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000625804Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:50.298{97C2ED32-03BA-60B9-6B5D-00000000C501}14685780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625803Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:50.173{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-03BA-60B9-6B5D-00000000C501}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625802Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:50.173{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625801Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:50.173{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625800Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:50.173{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625799Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:50.173{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625798Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:50.173{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-03BA-60B9-6B5D-00000000C501}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625797Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:50.173{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-03BA-60B9-6B5D-00000000C501}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625796Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:50.174{97C2ED32-03BA-60B9-6B5D-00000000C501}1468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625795Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:50.048{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=048984F67BD23F0BD993537DEB434A9A,SHA256=25FD1C04956EF7A5F31D4B02DB867121E25C53C410A9810FD5BA7FD4882B60FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686477Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:51.520{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B9AEB48CDE794371A11664346FAB910,SHA256=148222BCE12B26B7EE1A2697A93266B77F72716F5DA1ED0D0DC61B050E187974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686476Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:51.270{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBF6499864C145FF9B2692BAD03BA424,SHA256=D80D9E7D088C54A7A3D2E718AEBE2B78A9085A9BC6F8F8388779436AE7A387A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000625823Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:51.657{97C2ED32-03BB-60B9-6D5D-00000000C501}52522312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625822Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:51.517{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-03BB-60B9-6D5D-00000000C501}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625821Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:51.517{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625820Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:51.517{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625819Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:51.517{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625818Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:51.517{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625817Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:51.517{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-03BB-60B9-6D5D-00000000C501}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625816Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:51.517{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-03BB-60B9-6D5D-00000000C501}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625815Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:51.517{97C2ED32-03BB-60B9-6D5D-00000000C501}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625814Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:51.173{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F73F2A297AD8326E20CEB19DA3E5C1D,SHA256=E59FE781FA3C85EF92D384E6C68CBC1E59CAC01CBE382B23C97CABBEC36D9AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625813Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:51.048{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A943C1F7784B4A74CA472B98606D21D,SHA256=DB0AEF7EA5EF77924ED44BB9BA3BEEE569FE76D066A14B1D0C4A820D5B1A903F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686479Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:52.661{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8480D0B8A664B6A197C840975117467,SHA256=847D6271E58D011FEBAACB46C4369E1E9699E047DEA7595AA54A2F334AFFC927,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686478Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:52.271{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A248B14FD73767A5A740E14BCFB1055B,SHA256=E6B4B7A490AB2F6D5D10832154A026E2D74277EA87CEB394AE1C805182BA10BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625825Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:52.548{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B43389952DC53D2FACCA5A4A4D17C9F5,SHA256=50566530E7FAA85F871E4CED8675B65880D0D41C64371CF2FA0AC1CC239E496A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625824Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:52.063{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=014D57C65F1FD6F4FFB3A2BDEF9412CC,SHA256=CE6AF22ACC5CE4978CD2CE7A47F2006727BF4C1539561E0AFBABBD20A934E217,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686481Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:53.677{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E03E6BC16D59200CCC2B73B800BF2F5C,SHA256=B72512EB717CB89040EF5F5340C88462E0D594351CBCC20187F38F5F65481345,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686480Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:53.286{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABC40A40111746965234DBB6CBB38341,SHA256=EBCB8DBCD521FFDA51871FAF32FA29644540F0B685B6FF1FF8C5C1DA8CF45DA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625826Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:53.079{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8D5D5E1BDC9A84ECA167AE3674FB60B,SHA256=CE940AF85596FD43FCD29ABA936E5BF8959C67A0F7640AF31EA51FD20F83A60F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625827Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:54.079{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF958081C0D0523895DE4786F0544F4,SHA256=B6DB55DC9D60CCF8DE87EEEB5BAF0291CFE1D04C2BB36852EB8ACD9D1B5167AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686483Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:54.849{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3476FA93272498D67846982650192314,SHA256=1824F2A84EE732994B6BFAE88EC50924DF28A08FD9E68BD3FE3ECF1717EACEA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686482Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:54.302{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69915388FBF13CEB80D4D31C69F47027,SHA256=85EE0A734EAB11BCA7C4078F88D89E83B55D164C8152C5D88161E5425672D658,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625830Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:52.988{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51739-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625829Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:55.220{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DA670860BEB66068D3CEA54EB57FB17,SHA256=4B5675C39C143FAB4C5982F2FDA93CE3A9AD91E696D554AE8DF017880198A03A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625828Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:55.079{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E611A0FF605D72A444DA32FED6CD9365,SHA256=8B995B913F121339859152DEFB8ADB91556FD278043E0B304BE5E89766813FD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686484Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:55.317{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=074B33AA9407E68334FD344186FEFF45,SHA256=3F7852C9DF2194A59CB149078D53B04CFB21CAB9B826BCA7B7189DAED416A0F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686486Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:56.333{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76E26068C9C1F981AFF416ABD0EE35D2,SHA256=1F9BCA35E0CAE89CF5CE56446BD13F5C25B6D88E22C35028AD50E80D109D6EA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625831Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:56.110{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7013F7EE8A0E6A6B8718CFE0D3736E6C,SHA256=2D02A9B1348E8E200BFF278C796BDF6CECFE5B3147E3B42D5E1CFAF2B6B0247A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686485Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:56.145{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=015129C6F6A0B7560A3EE6F86486FAFE,SHA256=E59CFAAD23EA8A87DE1603A87C65A7234783315FEF1D2001A6D228300D6D3814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686489Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:57.599{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A51B7D566635E6A9A06ED299CC218024,SHA256=7F46F52EC224D4E7A3EF6FFB012FB6E7D659DECB7C355ADA7E880415A91BBBE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686488Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:57.349{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71BC45C17E2C10BB87E69F5CA284FE3E,SHA256=92D80317FB3B19A2362AFD2D8C3EB1D308445B833B4174BC8F80D5B8EF8DD266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625832Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:57.126{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BBA81C55CB8D18BE3C32B8101A481A9,SHA256=9F7E5849C7DEB9C91D894B78F8C216CB151C7357140F9835862DAA7184953A06,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686487Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:52.505{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64467-false10.0.1.12-8000- 23542300x8000000000000000625833Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:58.126{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69068D4F20447149262BC13CC1E0D09B,SHA256=0FF0965D83CE480C00E30F53A5EE9EFC2F5A7232E40C8E71AC547A73215F37F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686491Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:58.708{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B19A9CFA63BC6A118BDE14736F33822,SHA256=21183A7F8E0FD64F0335126D44A8432BB48455BFB71B6D6A1DDE08223CD49CC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686490Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:58.364{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF35F459A562D0BB2C9454AD2722187,SHA256=015963C5C80E2A17DD04D484715EE0445882DD70347B440B3B9451BD65E54563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625834Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:59.141{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF2DE39009CE325F7BE8633977A826BB,SHA256=51BFCC21735925416A334001661CC129FDCBCC48D0BB99EF4BD13CFCECB55090,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686493Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:59.864{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E6956D39BB1A95EA08731994A43886E,SHA256=07FBCC72B4557C9BB4C7BD77EA3F2B576C8ECDE81FA5405D29A687BF55384E85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686492Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:59.395{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E18D9D17A7A4178DBDE52008773B4AB8,SHA256=638A554C1017CA229800F36A5719AA433C9DE0F0706991254942502FABE4B9E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686510Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:00.974{D419E45B-0167-60B9-A952-00000000C401}70324392C:\Windows\system32\conhost.exe{D419E45B-03C4-60B9-0553-00000000C401}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686509Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:00.958{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686508Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:00.958{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686507Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:00.958{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686506Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:00.958{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686505Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:00.958{D419E45B-78A0-60B6-AD02-00000000C401}22846252C:\Windows\system32\csrss.exe{D419E45B-03C4-60B9-0553-00000000C401}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686504Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:00.958{D419E45B-03C4-60B9-0453-00000000C401}9601572C:\Windows\system32\cmd.exe{D419E45B-03C4-60B9-0553-00000000C401}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000686503Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:00.972{D419E45B-03C4-60B9-0553-00000000C401}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe import-module C:\Temp\AzureHound.ps1C:\Users\Administrator\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D419E45B-03C4-60B9-0453-00000000C401}960C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module C:\Temp\AzureHound.ps1 10341000x8000000000000000686502Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:00.958{D419E45B-0167-60B9-A952-00000000C401}70324392C:\Windows\system32\conhost.exe{D419E45B-03C4-60B9-0453-00000000C401}960C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686501Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:00.958{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686500Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:00.958{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686499Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:00.958{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686498Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:00.958{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686497Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:00.958{D419E45B-78A0-60B6-AD02-00000000C401}22846244C:\Windows\system32\csrss.exe{D419E45B-03C4-60B9-0453-00000000C401}960C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686496Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:00.958{D419E45B-0167-60B9-A852-00000000C401}3527024C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-03C4-60B9-0453-00000000C401}960C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11e38184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d83546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1126802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112cba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112adaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112adaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ad93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1129e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112abb9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d83546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11290363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1128f8d5(wow64) 154100x8000000000000000686495Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:00.966{D419E45B-03C4-60B9-0453-00000000C401}960C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module C:\Temp\AzureHound.ps1C:\Users\Administrator\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000686494Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:00.411{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29BFAF6FEF3346A874113224926CDD55,SHA256=8769C943C262A10D15D5CE3BED9213FF934161737A2EB1FD40C6AD068AB1F2CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625839Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:58.081{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51740-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625838Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:00.798{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625837Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:00.423{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D413B4CA84CEAEE41774E13408E2612,SHA256=E34E24BB31F79286241B1F7B81FF742BA62F21A9CB573C1FF566EE4E953CEC6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625836Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:00.423{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4853B449BA897B03BEEF2EA47964EA5A,SHA256=1126B9390D03C572D55034E561ABAE354E3D3B7DD60B7FC525A3B23006710ED7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625835Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:00.157{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DE796B8D795BD1FD62FDF9FC5B8BCD2,SHA256=0652CF60BBB683BB8F252202DC00A90C5C8BE34D94D26CBB1D19C4F5F470DAF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686527Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:01.974{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E263617FF96E114D221F877195320CD8,SHA256=7F003837C7962850B53922C7D69919689845B003A625D54B4CB991AE22132FC2,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000686526Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:31:01.942{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\D370F6FF-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_D370F6FF-0000-0000-0000-100000000000.XML 13241300x8000000000000000686525Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:31:01.942{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\368F3813-04AC-4615-AECE-5D3085605520\Config SourceDWORD (0x00000001) 13241300x8000000000000000686524Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-SetValue2021-06-03 16:31:01.942{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\368F3813-04AC-4615-AECE-5D3085605520\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_368F3813-04AC-4615-AECE-5D3085605520.XML 23542300x8000000000000000686523Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:01.583{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00E094B7D1DDB5246FDA4785E70B0BAE,SHA256=021B73DE7DCECC8621DBAD18DFBB3B72A5A48310A2CA0B30858162E15612ADBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686522Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:01.583{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0A57FDE85710A0AB809BD0587BBB43C1,SHA256=090BEC3F131F52AC807560B3C0E443003A69A6487019D993A90EEF41F5F4566F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625841Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:01.813{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D413B4CA84CEAEE41774E13408E2612,SHA256=E34E24BB31F79286241B1F7B81FF742BA62F21A9CB573C1FF566EE4E953CEC6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625840Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:01.173{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D6E139DB26AEEE84F96B0A0AC45CB90,SHA256=33F6D5BEBCCF24C9713BDB42ADD02C8E64100031B62672EC1AAC83B56450E1DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686521Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:01.161{D419E45B-03C4-60B9-0553-00000000C401}5076ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686520Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:01.114{D419E45B-7530-60B6-1600-00000000C401}12685808C:\Windows\System32\svchost.exe{D419E45B-03C4-60B9-0553-00000000C401}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686519Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:01.114{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-03C4-60B9-0553-00000000C401}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000686518Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:01.099{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5369B4CBC891A040E8CE174159504A43,SHA256=F5FF866C7DB79CD46D28178F07BAC44AE27CB1D3CD9B4A5AE4A9BEDDDDAE7734,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686517Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:01.067{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-03C4-60B9-0553-00000000C401}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686516Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:01.067{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-03C4-60B9-0553-00000000C401}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000686515Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-CreatePipe2021-06-03 16:31:01.052{D419E45B-03C4-60B9-0553-00000000C401}5076\PSHost.132672114609720564.5076.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000686514Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:01.036{D419E45B-03C4-60B9-0553-00000000C401}5076ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_xzwhw4kb.rp3.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686513Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:01.036{D419E45B-03C4-60B9-0553-00000000C401}5076ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_y2oac1qn.nu0.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000686512Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:01.020{D419E45B-03C4-60B9-0553-00000000C401}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_y2oac1qn.nu0.ps12021-06-03 16:31:01.020 10341000x8000000000000000686511Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:01.005{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-03C4-60B9-0553-00000000C401}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000686529Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:02.583{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9889428AA7BB4BDDA5039068FDFB70ED,SHA256=BCCE088FBA203F5C547D608FB854911686218D483D7B1F1D2AEB1163B5E329D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625844Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:30:59.644{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51741-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000625843Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:02.908{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E64BBF62DF0CFBF936DE9CE016B9E040,SHA256=87193A1269BBC3E1D9F92B37B419222887BA8E9049EBB72C9502D95919898507,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625842Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:02.204{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=781E9CEC5084BF7882A6D7C52C5EED33,SHA256=9CF671B7E72F3FBD201D0FCC7F0F3957FEFF6E96EC4B0687C7B5835ABA2F5FEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686528Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:02.208{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF69A770211596D3FEA6A3E21AA31FF8,SHA256=74F5252BCE96FB48ABE4ABCA07A2D6589F2D5B461672C3D5AC6370524B26DC7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686539Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:03.849{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686538Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:03.599{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5C92DD9EF812B4531056D2E53A0F541,SHA256=5B6B9D5B7A126E0A04D009513B4560F5B442AC66F4D914068C2C3BE13541200E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625845Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:03.220{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=737BD2B582A103EEE60D2DD726A7BF91,SHA256=6DA47B9B80520FC8C2E15AE904EC20D1CD6E7D827EF236BFD09A4989FC44372E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686537Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:03.458{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C242091685A5213D6F6842EA86293151,SHA256=13EE60E0157E28A54E9B9F6A4D552688F44D3D466DC1EB168638D4CD1BA71777,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686536Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:59.373{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local64471-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000686535Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:59.373{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local64471-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000686534Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:59.365{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local64470-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000686533Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:59.365{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local64470-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local389ldap 354300x8000000000000000686532Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:59.350{D419E45B-752F-60B6-0D00-00000000C401}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local64469-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local135epmap 354300x8000000000000000686531Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:59.350{D419E45B-753F-60B6-2A00-00000000C401}2892C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local64469-truefe80:0:0:0:8a7:5018:d121:bd39win-dc-233.attackrange.local135epmap 354300x8000000000000000686530Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:30:58.536{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64468-false10.0.1.12-8000- 23542300x8000000000000000686541Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:04.818{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1519C64444C9535DDB3E68CB018D832F,SHA256=FFDA12C9868D9A6D990093A3DD935DDDFF3C5E2032281950984DE3CC5513DFCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686540Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:04.818{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=775EE2061879EDC1AE87F32B7CBF0B4F,SHA256=4541D60013103D3933AE22DC79715A9BFD7B361A2A7DA2C21B9F08688FCB5E02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625846Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:04.236{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1374B00FB5883B1EF7C7EA78E2EA5D95,SHA256=A2CAC329F85F873783EC290B9F84B2A939FAF499112ACCA2619AAB53BFDAFDCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686544Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:05.958{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9265668DFF587600327CBC15A1B9229,SHA256=0028A2888ED095EBB92156AB0AD9F9E26BFFA6BB9F786E19C6F970FEDAE2986A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686543Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:05.958{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16FF21DE1B2E7066199787FA4D59FB0A,SHA256=3728A296610D8022F4E372B0D8DBE20E2CB47E4110DC6F833A8AA6A4B13FD447,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625847Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:05.236{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A28D7BAAB04F14BBCE43CC70A472AE,SHA256=E51B8C7B9502937DC4BC7ADF1FC7652A02D963C3CF1A3E22B6C768BE50D98183,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686542Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:01.240{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64472-false10.0.1.12-8089- 354300x8000000000000000625850Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:04.051{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51742-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625849Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:06.392{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E391F4D4EDE557DB594439C0040D85E4,SHA256=4C0CEDE65D60FCA2D53B99F649F6604EDD69EEAEF60EBFE34877B11A4352C103,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625848Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:06.267{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=701F01AF063BE2572846B8DF8F2AD55F,SHA256=F1C1A221AB78CE3D194ED40A988F5F880EF7437A8C41AB19079025F68D922263,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625851Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:07.282{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8C7907FA254D57FF34A2C7A6168DC96,SHA256=EEB55D86E64AB2CB7EF6FB34AE0AA138FC37FECD5FF921274F1B2CD4F6330A75,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686548Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:03.240{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local64473-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000686547Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:03.240{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local64473-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000686546Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:07.099{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89B61627E6CC8505877DCD3E53A96673,SHA256=471D92E5307006519074915C5BBEB6419A86EC58EE7A31DF28CB2FAFC6B68D2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686545Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:07.099{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAE18CC7505D64EC3C4CD1F43DB9404A,SHA256=BA0ECF6FA8A1201B061A9D745BAB7F17CF04675A14F435F40F9560BC57944913,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625879Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:08.673{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=648A92205221ED89F40F46D9F2EADE2D,SHA256=00CD9FF75667BA92B6A311767ADAB60B9480FADB67933F199A9BEFDACCA85ADB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686551Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:03.646{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64474-false10.0.1.12-8000- 23542300x8000000000000000686550Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:08.255{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCAEF8339EB5064CF6F667942AE6E749,SHA256=580819242DA68A9093EE586A7CDDF0A09EF2BD86C2908B2561D6CD2AAA588378,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000625878Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:08.220{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625877Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:08.220{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625876Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:08.220{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909C-60B6-DE06-00000000C501}4896C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625875Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:08.220{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625874Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:08.220{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625873Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:08.220{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625872Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:08.220{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625871Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:08.220{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625870Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:08.220{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625869Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:08.220{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625868Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:08.220{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-909B-60B6-DD06-00000000C501}4744C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625867Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:08.220{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625866Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:08.220{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625865Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:08.220{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625864Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:08.220{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625863Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:08.220{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625862Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:08.220{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625861Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:08.220{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625860Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:08.220{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625859Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:08.220{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625858Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:08.220{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625857Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:08.220{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625856Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:08.220{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625855Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:08.220{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625854Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:08.220{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625853Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:08.220{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625852Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:08.220{97C2ED32-772F-60B6-0D00-00000000C501}788808C:\Windows\system32\svchost.exe{97C2ED32-9096-60B6-CF06-00000000C501}4008C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000686549Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:08.115{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31EB95A19F16978547B2227E543A098E,SHA256=77D78625F42CA7399DFECD4603DC886E9B629C2EF4E2CFF488A02FDBBAC8DC76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625880Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:09.846{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07ED3308902E7BDE365CB3FB1F0F00F9,SHA256=D472B97718C79AC58B11342FD3D275D443E4CEB5E32444773BB1E6220DB280C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686553Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:09.302{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B060E8FEF861048A1C4959D792101466,SHA256=DE49B8309FA20D8675C2C9C0CC1946F5FE5D8B500D9986A33B6BD08DCDC3860B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686552Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:09.287{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0217C425A33C6F980712B7685F02BE0,SHA256=2440D70251CC526E6B7F87E5022875A8CB93D0F0B01A633359369F8B838026B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686555Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:10.427{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60005001A719E44B45953BCB43A498E9,SHA256=DA80342B99E84B1B6398FF12B44CC874B01E23DDA999499007038301B11823BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686554Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:10.318{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23FC10582B5D5F52A0145A2302002C11,SHA256=42F4BEF2BCE7D2C92619E44D1994734F26A4FDDBAA682E8B7177D86A2182B2D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686585Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:11.787{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2D90B0D61E3619358AA98A021C2206D7,SHA256=1AE7C083CCEA89CC1F23A3A644EF42750BC4190DBA3D34CC89A351C66841E6E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686584Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:11.724{D419E45B-03CF-60B9-0753-00000000C401}6488ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686583Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:11.724{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E773A66AF768E7921B56844A4DE438D3,SHA256=5E7F8E1B378D6FA5F61C32719A2B30EC2EFF91A11A84947F5041594CB40A9342,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686582Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:11.677{D419E45B-7530-60B6-1600-00000000C401}12685808C:\Windows\System32\svchost.exe{D419E45B-03CF-60B9-0753-00000000C401}6488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686581Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:11.677{D419E45B-7530-60B6-1600-00000000C401}12681336C:\Windows\System32\svchost.exe{D419E45B-03CF-60B9-0753-00000000C401}6488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686580Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:11.646{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-03CF-60B9-0753-00000000C401}6488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686579Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:11.646{D419E45B-752D-60B6-0B00-00000000C401}6322340C:\Windows\system32\lsass.exe{D419E45B-03CF-60B9-0753-00000000C401}6488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000686578Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-CreatePipe2021-06-03 16:31:11.615{D419E45B-03CF-60B9-0753-00000000C401}6488\PSHost.132672114715129918.6488.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000686577Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:11.599{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C54524A12F402EED2074F88C701AF8E1,SHA256=EEED9F3437F9E36A9F0A5537D31583CCB9F315CD6CCB06F84FC458F01CB9ECD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686576Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:11.599{D419E45B-03CF-60B9-0753-00000000C401}6488ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_d0g3ghun.fp1.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686575Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:11.599{D419E45B-03CF-60B9-0753-00000000C401}6488ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_5cm1lcou.ud4.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000686574Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:11.568{D419E45B-03CF-60B9-0753-00000000C401}6488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_5cm1lcou.ud4.ps12021-06-03 16:31:11.568 10341000x8000000000000000686573Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:11.552{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-03CF-60B9-0753-00000000C401}6488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686572Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:11.505{D419E45B-0167-60B9-A952-00000000C401}70324392C:\Windows\system32\conhost.exe{D419E45B-03CF-60B9-0753-00000000C401}6488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686571Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:11.505{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686570Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:11.505{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686569Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:11.505{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686568Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:11.505{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686567Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:11.505{D419E45B-78A0-60B6-AD02-00000000C401}22841824C:\Windows\system32\csrss.exe{D419E45B-03CF-60B9-0753-00000000C401}6488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686566Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:11.505{D419E45B-03CF-60B9-0653-00000000C401}4896992C:\Windows\system32\cmd.exe{D419E45B-03CF-60B9-0753-00000000C401}6488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000686565Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:11.512{D419E45B-03CF-60B9-0753-00000000C401}6488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe import-module C:\Temp\AzureHound.ps1C:\Users\Administrator\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{D419E45B-03CF-60B9-0653-00000000C401}4896C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module C:\Temp\AzureHound.ps1 10341000x8000000000000000686564Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:11.505{D419E45B-0167-60B9-A952-00000000C401}70324392C:\Windows\system32\conhost.exe{D419E45B-03CF-60B9-0653-00000000C401}4896C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686563Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:11.505{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686562Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:11.505{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686561Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:11.505{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686560Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:11.505{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686559Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:11.505{D419E45B-78A0-60B6-AD02-00000000C401}2284924C:\Windows\system32\csrss.exe{D419E45B-03CF-60B9-0653-00000000C401}4896C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686558Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:11.505{D419E45B-0167-60B9-A852-00000000C401}3527024C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{D419E45B-03CF-60B9-0653-00000000C401}4896C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11e38184(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d83546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1126802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112cba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112adaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112adaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ad93c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1129e65c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112abb9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+112ab0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11d83546(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+11290363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\e47f5b06b63cd9ac2f165abd13a9b5b7\System.Management.Automation.ni.dll+1128f8d5(wow64) 154100x8000000000000000686557Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:11.506{D419E45B-03CF-60B9-0653-00000000C401}4896C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c powershell.exe import-module C:\Temp\AzureHound.ps1C:\Users\Administrator\ATTACKRANGE\Administrator{D419E45B-78A2-60B6-C5F5-1C0000000000}0x1cf5c52HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000686556Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:11.349{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B96EDAC12AA5DF873A9633FA6CD1ADC6,SHA256=8001291E376885FE69BBD5E2C3DC486FD709300057F17C4199B2CE54CF31572E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625882Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:11.222{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5085186A970DDEF37B0A62454024E23B,SHA256=7CB8F3D508F88C10AF5D37C0AD4EE41642569E24A4FD756998F4781ECB06F116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625881Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:11.050{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5573BA732B63848169EA2EE2E79D8BD2,SHA256=6DF8EE4C4706E9341B82965DC66E27E08D87AC674167FA52486BE67BAD7BDDB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686589Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:12.880{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F790FFE8EA33FF1C9CEE8485881B6BB8,SHA256=DBC1CF8E7E9E50951D417B76770D1156295101DC104C93BC4C136CA1807DE09D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686588Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:08.662{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64475-false10.0.1.12-8000- 23542300x8000000000000000686587Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:12.505{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5EF3A58B93CD85DBA5EFEA3355905891,SHA256=AD75A18E750B2E5B2BC4A228035340C59EB52642F718063E08EC08DC50A20505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686586Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:12.427{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2134FB98939B5669F6FEEA0197B2F2F,SHA256=37B82F4208D6E3BE2854D4F33AC66CC79A0DE5F43DD62DB76A9565ACD7C6F739,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625884Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:09.067{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51743-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625883Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:12.053{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45AAA3A5B897A5816BFC88BC04A6E597,SHA256=9F55A46C83CFBCB011F8EAEFCB5EF361EFBCDA7D6BC3226031BA221A876149BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686607Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:13.898{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-03D1-60B9-0953-00000000C401}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686606Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:13.883{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-03D1-60B9-0953-00000000C401}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686605Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:13.883{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686604Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:13.883{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686603Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:13.883{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686602Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:13.883{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686601Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:13.883{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-03D1-60B9-0953-00000000C401}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000686600Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:13.883{D419E45B-03D1-60B9-0953-00000000C401}4220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000686599Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:13.429{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEA17F10E97165DA31B6C837483188B9,SHA256=A69973B24A6B26ACF2862AC85DC9E0B66737EF626F45E603A47FCEAF93C9C49B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625885Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:13.053{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1F2FC2316D09034E709455583AFE96A,SHA256=44EF9C6B742C5C67C5F491E5A6C9FA099061C16F3FC9C8F4259621193CD09D9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686598Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:13.414{D419E45B-03D1-60B9-0853-00000000C401}59204736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686597Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:13.226{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-03D1-60B9-0853-00000000C401}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686596Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:13.211{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686595Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:13.211{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686594Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:13.211{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686593Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:13.211{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686592Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:13.211{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-03D1-60B9-0853-00000000C401}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686591Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:13.211{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-03D1-60B9-0853-00000000C401}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000686590Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:13.196{D419E45B-03D1-60B9-0853-00000000C401}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000686618Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:14.535{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-03D2-60B9-0A53-00000000C401}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686617Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:14.535{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686616Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:14.535{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686615Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:14.535{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686614Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:14.535{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686613Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:14.535{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-03D2-60B9-0A53-00000000C401}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686612Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:14.535{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-03D2-60B9-0A53-00000000C401}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000686611Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:14.537{D419E45B-03D2-60B9-0A53-00000000C401}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000686610Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:14.442{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C66D8432D985C8420682D6C73A01C0,SHA256=249ED87F71389E3A7A3EF6DFD3861D058FC0B47629028B7D2D062C165BEEDE0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625886Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:14.068{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=829B1A8BE78B6C0C9B9FAA00515C49EE,SHA256=2A962C0C402F63BE3B94B2AFCDC142248D67EC3C70A99CBF89C0AC8B78081987,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686609Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:14.176{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54D08F9FC0CB59E54FC0D34C03EC8BD1,SHA256=202E5FC534A4F58F05EBE0408C6F3111A92852D6C2C29D0F6409075E5F95467A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686608Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:14.086{D419E45B-03D1-60B9-0953-00000000C401}42206928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686637Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:15.851{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-03D3-60B9-0C53-00000000C401}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686636Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:15.851{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686635Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:15.851{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686634Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:15.851{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686633Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:15.851{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686632Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:15.851{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-03D3-60B9-0C53-00000000C401}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686631Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:15.851{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-03D3-60B9-0C53-00000000C401}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000686630Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:15.852{D419E45B-03D3-60B9-0C53-00000000C401}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000686629Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:15.492{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA2941F9075089B082285CF8927A02EC,SHA256=BB6D32A5F44AFA7A9C9DDBAFED5BA00D87EC37C91D75D51BF1EBB12F57887D33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625887Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:15.068{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DE4585E42E33E5706517F5CB0CBC43F,SHA256=61978B98D627E62A92612A05E605763FA64ADBE1ED5252F17D4AE22C877516B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686628Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:15.335{D419E45B-03D3-60B9-0B53-00000000C401}45165456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686627Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:15.179{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-03D3-60B9-0B53-00000000C401}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686626Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:15.179{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686625Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:15.179{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686624Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:15.179{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686623Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:15.179{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-03D3-60B9-0B53-00000000C401}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686622Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:15.179{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686621Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:15.179{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-03D3-60B9-0B53-00000000C401}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000686620Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:15.170{D419E45B-03D3-60B9-0B53-00000000C401}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000686619Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:15.164{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E316E241CD70739CD393806B4BE5F920,SHA256=E11E95E494DCF4CCF0DE8A43BFEE09FCA55A840DD2ED0C4F6E8EB21E7B64BC5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686648Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:16.664{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9831B525344E551F87FABF75463613F0,SHA256=4B7E6CC560C3BDC1D4F9DDA37FFE7FBE2ED1252939BD45223717AFF59865C0BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686647Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:16.664{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FD302E591844F3D3231A211992F6567,SHA256=A75D8971E959AD11149E4767D82C73EFC584F4AC3D7E6D17EDD46725EB74AACE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686646Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:16.523{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-03D4-60B9-0D53-00000000C401}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686645Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:16.523{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686644Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:16.523{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686643Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:16.523{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686642Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:16.523{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686641Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:16.523{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-03D4-60B9-0D53-00000000C401}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686640Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:16.523{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-03D4-60B9-0D53-00000000C401}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000686639Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:16.524{D419E45B-03D4-60B9-0D53-00000000C401}4284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625888Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:16.131{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27279385FEB00AE7CCCABA42BB9BA628,SHA256=6D4D138D5740F7E3E39267593DF813A5939E19A4A8C47B9131E94225666C71CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686638Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:16.054{D419E45B-03D3-60B9-0C53-00000000C401}44684840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000686658Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:17.820{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25A3781F2D51D6B410B279713F77CC69,SHA256=4892CE23DABF09C0FFAF8FC4AC260FC4B13A05474880B758AFC13A582288D120,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686657Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:17.539{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=589B19E2EC604748D3F8CFBF363A0580,SHA256=C11D29F3703140C6D48FA6B6057EC8D451AB502997AAF987757CADFCBBA85038,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625892Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:15.055{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51744-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625891Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:17.209{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C897BFDE191C09915A7186A4B42952E9,SHA256=0086B552A615DB1FC4F0FE62AFD177783A8F404640E017D6362AE0850AF09059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625890Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:17.209{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A3619AE6A5B3E5B8FDA4261259DC421,SHA256=8CCD2A479D245292028F866267DB57E2EDE6864A5D95F4C1D4C724BF70B1F2E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625889Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:17.146{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D894979746E82ACA26A19F015EC9A2B8,SHA256=803FC18C72D74BC7E2651B4A7DC978107799ADEF925C6014DCABD79C448A056D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686656Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:17.195{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-03D5-60B9-0E53-00000000C401}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686655Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:17.195{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686654Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:17.195{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686653Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:17.195{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686652Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:17.195{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686651Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:17.195{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-03D5-60B9-0E53-00000000C401}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686650Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:17.195{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-03D5-60B9-0E53-00000000C401}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000686649Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:17.196{D419E45B-03D5-60B9-0E53-00000000C401}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000686660Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:18.867{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=720BE03B4F39F774A612EE147B8F5FFD,SHA256=D19F70D82FEDF6111435796B3FBE1A7ACD0088FA3AEB77FF80E6E78179FFB8D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686659Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:18.539{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14A7CE616429C5E974BA50C2109ED162,SHA256=522FE21F043365E7690CE9E133F6AAD70C1C83D7BB81F99A577B965F013FB9FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625893Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:18.178{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F833073B3737D3AFFB5BA13984B5907,SHA256=0B15ECD668C9FDCB2362AF7599195FE2D57865664CC6D85DE3A2546FBBA19EFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686662Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:19.570{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E21F4A94719D09DF065E09BF52201B,SHA256=DE08BE1F80A4C609374396A20BFAB8D04349FC7EA00C8D396201C20DC8CCBFD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625894Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:19.178{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFC3D516AD2F557CD99F93C7B8EA6F8F,SHA256=48B0C267CFF902F2DC76F5872EE0EC15737DBFCFEAD0A8F5EE03C43563C411CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686661Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:14.601{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64476-false10.0.1.12-8000- 23542300x8000000000000000686664Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:20.586{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76808110A05072AC43043BABCF73B4A2,SHA256=97C6FC456F787547772E50163386CF57B47D497A33145F3A7CD39DDFFEF23CB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625895Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:20.271{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B16F1CCCEA2C435210F2C94D313E1BBE,SHA256=94091D7EDB56599BB540DC1ECAE6E9516FF2BCDEB2E6089BFA50E6F3BCE34557,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686663Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:20.007{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=449562040170AF41BBF108F1F4BB0541,SHA256=946991A135E55C180B8D6FC70D4A8590BC285E77DD8A32E6C158D5D5B6F10DCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686666Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:21.601{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71E15C20C5CF625F55A642125B94DDAA,SHA256=2A1208C2ADFF3C9FDC261C9C0AC981F638FAC5E9762ED5CA4D11E3D91B5B6722,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625896Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:21.271{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B05E74C464FE0B5E73441E9A545D91C9,SHA256=F02D9F33DBF69D2B4B0EFC30CDE1CB3C946C382A68EB9892762764B486154949,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686665Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:21.242{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B93E7093F8D667EB5420512490555AA,SHA256=1388DDA69CE81FEED196DF9687FFCC8E25C666E66B6E3112DDFAB9D2BF23CCD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686668Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:22.676{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5FF32138621E4E4397407170673EF31,SHA256=0F42DDCC260E3C9281B674DB8E30B93E5723D1088B878B01E7D8A3522CCB774A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686667Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:22.613{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F26F062116AB1757C981F2D59750E16,SHA256=ABA08F7702853B807FAEBBA85DD7589B93C236209A6939C1FF976500147E5E5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625897Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:22.303{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16670CA3F6977198812DDC5FCAC5F71E,SHA256=22E82E2D92BA099655F876432D8D663C888299B9C856AFB3F205D6EBF09F0A91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686670Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:23.754{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D50755C225B312AC063785F13FB290F,SHA256=052162C0FB105428616D9BE55574C450CC21DE8CAD2908C7B83A00B4FA7DBCE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686669Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:23.629{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=152614399A730E1E0C99D091DDD98D7C,SHA256=80F9C62C71501F490C00532BB453607F5CE2157789F3C5D45316846744FE6291,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625901Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:21.055{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51745-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000625900Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:23.312{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8561C723F0167BD9345F4C18C4B1F81,SHA256=909993843DEA32010AE6D20C3691EB39B7024481F33E38DF806EDA9FE46F64AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625899Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:23.219{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=198D6B5484945BC4EA491F79AF04958E,SHA256=14F764422E43B9065B56909909D09FC66321F36928E2EE8A5DEBF3333609E087,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625898Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:23.219{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C897BFDE191C09915A7186A4B42952E9,SHA256=0086B552A615DB1FC4F0FE62AFD177783A8F404640E017D6362AE0850AF09059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625902Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:24.312{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2007BF25E5B23AB9A0ECFDEB50390C0F,SHA256=D23BFB0ED09374C248B99FF5E4B57B11234E62DD7CA259ED11744F566BE3F8A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686700Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:24.332{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686699Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:24.332{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686698Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:24.332{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686697Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:24.332{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686696Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:24.332{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686695Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:24.332{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686694Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:24.332{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686693Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:24.332{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686692Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:24.332{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686691Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:24.332{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686690Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:24.332{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686689Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:24.332{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686688Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:24.332{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686687Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:24.332{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686686Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:24.332{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686685Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:24.332{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686684Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:24.332{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686683Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:24.332{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78A4-60B6-BF02-00000000C401}3976C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686682Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:24.332{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686681Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:24.332{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B3-60B6-D602-00000000C401}6048C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686680Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:24.332{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686679Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:24.332{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686678Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:24.332{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686677Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:24.332{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686676Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:24.332{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686675Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:24.332{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686674Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:24.332{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686673Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:24.332{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686672Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:24.332{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686671Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:24.332{D419E45B-752F-60B6-0D00-00000000C401}904928C:\Windows\system32\svchost.exe{D419E45B-78B2-60B6-D502-00000000C401}5936C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000625903Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:25.328{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4545C5F0D1E742577035ABCF2393F1EF,SHA256=67CB87DC88B9E029282A478FF479909F06C7AEEB9C266C3B8C4D7224F01910C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686703Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:20.582{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64477-false10.0.1.12-8000- 23542300x8000000000000000686702Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:25.035{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0301D5AEA579409DD06B9BC9854F7086,SHA256=D176DE7CBD5E660A89B6778F6521820A448737655D78025B2226C32C1067BD6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686701Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:25.035{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5528AF6D3316DBDCE89873DF9FA14E65,SHA256=AE9FDA6DFF0974A0D76BD31F0ACC225B30E2D01E96D307B489064720206862DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625904Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:26.344{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FFEAC72B6637487BCDBD0C8E7F41703,SHA256=82DF9AFF9D1643FE117E18C41BFA28E02E3F04A13954130ACFAD18273CBA06C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686705Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:26.223{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28BE11C308F1FAF4B5BFD8AFC8799610,SHA256=9B3AA2C71CF9795A921A0106C4ECA017F6FBE723A041C984A9FF43ECF7DB47DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686704Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:26.082{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A14F50484F352E211FA4BC602BA55A57,SHA256=96B086DF2F359F29D1D30EAE05328B7C168EF48A23F0E370B218F2CC958182EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625905Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:27.344{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DECE5FDBFB63C9DAE0EB0B598FEE426,SHA256=B51DBC6F5D6B523C1F16E12132C68BB55F0F9F9BA8CDCBBDD45BA83DF0880088,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686707Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:27.301{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F5656B219592C313F9F4B0CC1D83656,SHA256=3175C867F6C2BB1E707C85EC525FB4921B1CDFEC04FEC554D07E968962372DE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686706Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:27.207{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A32ED5FE3472026FC3160DA74F1D54C9,SHA256=701A677CCFADC420DB7C10EB41C0AD63D583D3E1B3F68A15C4428319D8B65297,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686709Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:28.473{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22C8567FE6D2F7CC6AA5756806F06CF9,SHA256=7816FC81C752F60CB8C213F3DB1BFB24EE8249C1A1CC7A3DB29A124389726A25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686708Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:28.223{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70173194C0A9CF315FDB265A997F925F,SHA256=CB2FFE3D133562F28DEB0756DCFC4203F9B1964466C9ACB3282EA71FEA283D6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625906Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:28.437{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E61AC7F7574579D3C226459C05E2C2,SHA256=023F11F07EFA20CAFA575C86C7A6B3679C4B81AD3C09EE8DE0565D6DBC8AC209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686711Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:29.535{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A03E0AEB8497D0ACEF4C4F31C661804,SHA256=14DBFB0A88C8ED419463C55492186A83181DA82A593D6692ADECBB55AD4E76EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686710Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:29.238{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=396B457CBB4B1157C5B46AAD40FFFC05,SHA256=9541063377959E0A65544C11032A8328467C66329F1AD16DD6E0B7FFD052C38B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625930Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:27.081{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51746-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x8000000000000000625929Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:29.469{97C2ED32-03E1-60B9-6E5D-00000000C501}5192C:\Windows\System32\Configure-SMRemoting.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000625928Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:29.453{97C2ED32-772F-60B6-0B00-00000000C501}628676C:\Windows\system32\lsass.exe{97C2ED32-03E1-60B9-6E5D-00000000C501}5192C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625927Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:29.453{97C2ED32-772F-60B6-0B00-00000000C501}628676C:\Windows\system32\lsass.exe{97C2ED32-03E1-60B9-6E5D-00000000C501}5192C:\Windows\system32\Configure-SMRemoting.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000625926Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:29.453{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C841B2D2763EFFD22013AE3CAF178249,SHA256=328C274023EABA5A958A1E6C284942C054B4A1A482D6C6A455BF0880EBB6F531,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000625925Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:29.453{97C2ED32-7730-60B6-1600-00000000C501}12042728C:\Windows\system32\svchost.exe{97C2ED32-03E1-60B9-6E5D-00000000C501}5192C:\Windows\system32\Configure-SMRemoting.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625924Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:29.453{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-03E1-60B9-6E5D-00000000C501}5192C:\Windows\system32\Configure-SMRemoting.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625923Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:29.439{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625922Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:29.439{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625921Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:29.439{97C2ED32-772F-60B6-0B00-00000000C501}628676C:\Windows\system32\lsass.exe{97C2ED32-7730-60B6-1600-00000000C501}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625920Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:29.439{97C2ED32-7730-60B6-1600-00000000C501}12042728C:\Windows\system32\svchost.exe{97C2ED32-03E1-60B9-6F5D-00000000C501}580C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625919Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:29.439{97C2ED32-7730-60B6-1600-00000000C501}12041248C:\Windows\system32\svchost.exe{97C2ED32-03E1-60B9-6F5D-00000000C501}580C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625918Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:29.439{97C2ED32-03E1-60B9-6F5D-00000000C501}5805212C:\Windows\system32\conhost.exe{97C2ED32-03E1-60B9-6E5D-00000000C501}5192C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625917Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:29.422{97C2ED32-9094-60B6-BC06-00000000C501}9443580C:\Windows\system32\csrss.exe{97C2ED32-03E1-60B9-6F5D-00000000C501}580C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625916Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:29.422{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625915Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:29.422{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625914Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:29.422{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625913Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:29.422{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625912Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:29.422{97C2ED32-9094-60B6-BC06-00000000C501}9441324C:\Windows\system32\csrss.exe{97C2ED32-03E1-60B9-6E5D-00000000C501}5192C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625911Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:29.422{97C2ED32-9D3E-60B6-7A08-00000000C501}33644276C:\Windows\system32\ServerManager.exe{97C2ED32-03E1-60B9-6E5D-00000000C501}5192C:\Windows\system32\Configure-SMRemoting.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\92b818b675d92827ce6f9fe02da8f648\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\d8a13a6a5191fa23c7bf725e2b065f0f\Microsoft.Windows.ServerManager.Common.ni.dll+3fffc(wow64)|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1459ec|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+1454f0|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+fa3761|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58df12|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+58dd95|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+559c06|C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\1c6dd455d8e305379a618a5f02b82380\mscorlib.ni.dll+558e46|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6923|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+6838|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+70e8|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+c11a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+7ce0 154100x8000000000000000625910Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:29.423{97C2ED32-03E1-60B9-6E5D-00000000C501}5192C:\Windows\System32\Configure-SMRemoting.exe10.0.14393.0 (rs1_release.160715-1616)Configure-SMRemotingMicrosoft® Windows® Operating SystemMicrosoft CorporationConfigure-SMRemoting.EXE"Configure-SMRemoting.exe" -GETC:\Windows\system32\WIN-HOST-236\Administrator{97C2ED32-9095-60B6-4298-3A0000000000}0x3a98422HighMD5=59EF03A3CE316E02EC6C916E86715282,SHA256=E26FE2AD8452293B4B1E957B21371693996941A4D3D2371E7E51A35892C59418,IMPHASH=C13E4B07CF35D56AB40B9BAC4947EC02{97C2ED32-9D3E-60B6-7A08-00000000C501}3364C:\Windows\System32\ServerManager.exe"C:\Windows\system32\ServerManager.exe" 23542300x8000000000000000625909Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:29.375{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=8963A321ACBD98651BB588777BF3EFEF,SHA256=9F8B5315526B2C2118CD2F77F8CE618CDE4A0ADEC4BFB35A9801281F89D30996,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625908Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:29.219{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B42F0CE10C9192100589008D0A7B8608,SHA256=09740C327EDC48DC242EFAF7F086D58813388C066B3C80B6AC61A26BF4D80320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625907Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:29.219{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=198D6B5484945BC4EA491F79AF04958E,SHA256=14F764422E43B9065B56909909D09FC66321F36928E2EE8A5DEBF3333609E087,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625945Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:28.338{97C2ED32-772D-60B6-0100-00000000C501}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local51747-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 354300x8000000000000000625944Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:28.338{97C2ED32-03E1-60B9-6E5D-00000000C501}5192<unknown process>WIN-HOST-236\Administratortcptruetrue0:0:0:0:0:0:0:1win-host-236.attackrange.local51747-true0:0:0:0:0:0:0:1win-host-236.attackrange.local47001- 10341000x8000000000000000625943Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:30.469{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625942Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:30.469{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625941Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:30.469{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625940Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:30.469{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625939Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:30.469{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625938Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:30.469{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625937Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:30.469{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625936Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:30.469{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625935Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:30.469{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-0201-60B9-2D5D-00000000C501}5072C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000625934Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:30.469{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B42F0CE10C9192100589008D0A7B8608,SHA256=09740C327EDC48DC242EFAF7F086D58813388C066B3C80B6AC61A26BF4D80320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625933Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:30.453{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CABABE941CC7EAF27D9B9D481F49B05,SHA256=0682B3670C4311A170D904BC2228086FA69B427CE6B9A2EAA6636215DFE25EB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686713Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:30.676{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93B3AFDD9AA89274D34257C752E741D9,SHA256=B5E3EB1BBA3E1C9670F75BF9D8EDCF85EF0EE50C8E885A68EC474856FEA918D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686712Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:30.317{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=148723F6CD3161006E764BA881944581,SHA256=E4DB0A4020A8DEBD5C1CE92E00E614C6E877BE220A19C66EB7398435D653F7D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625932Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:30.406{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=38DD840CCB7569BF0C31E9037331D489,SHA256=5A42D8EEF6538F230E52857094257871432FE3F860116C0BA2B249D84F3C611A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625931Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:30.406{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4FFE064B922BC107D2E7343FFF2346CB,SHA256=50DC99F5E02D5F9A5074C19EE4E654753DA2553F57DB5185916DEB6F20DCA3EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625946Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:31.469{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7497976F4FB168711947980102787D9,SHA256=01112AC820BCD75548CB05214FAE0F5D05BCE6B4B580EBBB7441F121A379E9B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686716Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:31.817{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB898D45B93113FFF3818C81AA49E1C9,SHA256=5B2281562BE8AE03467A31DA977F7B18F64F5C8DB89213868CCFF6B6B4F6FF7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686715Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:26.535{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64478-false10.0.1.12-8000- 23542300x8000000000000000686714Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:31.379{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=685E2F43D5D56EAB04141B42B23097E7,SHA256=DD0A5BAE5C0427C5275E6B595F6EAC28ED4B0BE4C594A5ADE76727BABCDAAE9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686718Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:32.833{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FF52D605F6ABBB92004CE7282EE2024D,SHA256=7EC2BB1FC660D2195150619F40655D077B175B676AC44F1DD2357278B6BE857F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686717Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:32.473{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF66BD6869EFCB947D7CB6BEEC9C5D97,SHA256=481452D194D8DE255E7696782192C88EA98C7B89C8D0845BB9E2651EA163276A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625947Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:32.484{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C34267CCED9D4D149392F9FE2187D55,SHA256=45FCC38166326FEF652783340ABAF59C703B68B45AF14C78494545429CE927DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686720Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:33.567{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40141B253B9CACB1C514DC4C28769625,SHA256=82AD9537DE853EC9F15E8FD4645F97FA46BDF8D4AEFB6086EEDA6ACC14651175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625948Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:33.484{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=980CF698CE72A85F8C84EE9E8C3412B6,SHA256=F27B499353BE6B3FFE597E97BF8B36BAD97421CF6B2BC33CB614E975B32365DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686719Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:33.082{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2742CF050EAFAFC1ED06DCE1142CA005,SHA256=1D11CDCD12F71C93169794ECCCAC8CCCE70F58D4C4C397768621D09DD597E466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686722Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:34.582{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=174A5A19840781C4061E0DDC22473F0C,SHA256=A0BC9B5CA74171147BDE29AE99860223D4992C230C8F8FC7B3C681FACFDC4C0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625949Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:34.500{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EC6CC70E9BF335ADC89C4E604A9CE39,SHA256=D15F2D5F07F1E6FA796BD32D69831A824D31473BEF2BB9542C101B42DE583384,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686721Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:34.301{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4647595F592BE91C5BBEDD94DD61F927,SHA256=9CD0FF7128815DC08C97D7023016FCC689AB5159BE273F69B36E3C14154DA673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686724Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:35.817{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55B9D0EA3E4BEC3407FAF476AE8E54B4,SHA256=BF7EDB9AAB7280EDD61A9FE111F0B95EC635AE4450FC0342C3AA832AC514CE50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686723Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:35.598{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F0E28463AFB7B6DF70BBDBB088F01BF,SHA256=F47BCD5D66053284D956A58E6B9D22D4CBD9E70F151AB835014DC8889B3328B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625951Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:35.500{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5E3749DC556EB2C60651E33129F588C,SHA256=7CE5ACBFCBEA65395FF990AA8B55DEE91B68FFEA9BB18A84C0BBA7DB10E960BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625950Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:35.219{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5267CACBB78D309929B08E33F6C8ECE,SHA256=43CB2FAAD39C3A775A7106CA427C0AF4DBCD0474432ED9B62A6BBDB446DC5113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625953Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:36.500{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B13CB79B796DA6394C6AD2B4228391D7,SHA256=E8D28C6D2C3601BF625434AC8DE8AB8A7E8B51D32DB3525A97F79D1154387D27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686726Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:36.629{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ECD4E7CB01A7C4820C9B030E8BE2D3E,SHA256=3D91D9DDD910C0108EA98A33FDBC66D3A2E25301F0E655A7A0E265BE66B2880C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686725Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:31.535{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64479-false10.0.1.12-8000- 354300x8000000000000000625952Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:33.049{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51748-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000686728Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:37.660{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3679B43362FB64B1165BB16640D5508,SHA256=B17B26B63BCFAF4A5B7BC65E3B7EBA5FC70BC3088F95FD52CEDD6BF8FCBE78C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625954Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:37.500{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EC5728E5640B6695A6E286B0030288B,SHA256=BF6787115C8E0E4B7D5CB0ADF45B41140337EC47C221ABE05A563E97C00DDE34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686727Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:37.098{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=729F8A81C69DCC9D8C5D3F2FCF6CAF71,SHA256=F757CD04CA2FB88D509C8C1C90F439E0AC9F0500E1CF42C1F40B9223D7F2E80B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686730Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:38.723{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89F9B96862182E08AA58FECBB6C6D7A8,SHA256=3771B0AB00170CD51B654E88893ADF0C95F0F0834FC7670BE63BB7CC7148988F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625955Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:38.500{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3853AB76FBB5D4888EA1E58668330A1,SHA256=944C8030F517EC311082534E1D114E5F9DAA30FAD7D71C38A080691510AA0872,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686729Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:38.145{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D81BCEC8DE40547FD1529B59A407FFDC,SHA256=81935B891B6AA4E08539A76F00718EBE6F91B58075F5E4D7F7A9486AF194BA88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686732Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:39.879{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FF3104C5FDDF1CEDFEB2CBD8AAFEA44,SHA256=1D003BEB60EF7F31C070DD96EFD8B70240DE9116ADC10A6C1C543E0267C9A6F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625956Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:39.500{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45E624E9838D3BDD3697318900743707,SHA256=5B7C58D47EE9FC6BCF3A6050DBE67F7931A4EACD97A6EAD3A99ED0DA81ECA48C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686731Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:39.410{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=000924DA49534CDBEA45911B4DE414AF,SHA256=D198E73AF11DF5A18B9F964D7BE1B016B8C2A37050907A916EC010183AD588C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686735Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:40.895{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=733F2D1375A9539331760ADC88DF92E0,SHA256=A23582FCE6FCDADB336869445851038C151FAC7443454F1E6306E59462131780,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625957Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:40.516{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4181C0B95EDE485008140EACD9F2C655,SHA256=8736315A62C6788B7D12AE155A59CDBE515D96C48DAE3BEB4468DD45DBD1766C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686734Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:36.551{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64480-false10.0.1.12-8000- 23542300x8000000000000000686733Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:40.629{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EBB343A1E532F0744252930FAA9DEA3,SHA256=45068BFC4316DDD8FBDEA3A63BEEB2A73F92C50AFB0328C89F72D9C24EA4D37A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686736Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:41.926{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3EFE04534219E733F36B7B624C0D015,SHA256=7BFA75954B64F3D70C86252C8C848F7CD5001F599DF1429FF6EED069C8DD094C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625960Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:41.547{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82391C3BAF3C49BCD0495228251EAD51,SHA256=B1310D0126E973AC500D7FC0831B94348DB7B659E551E6D886DCE1C097A75494,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625959Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:41.219{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15B69F0B2FA853EB7A78A9758E43D5A5,SHA256=B5B9C928D914E3CC58E4445B95BB2BEE8A22D39F82B6D0DDA8B3B7ECBB115501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625958Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:41.219{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B8E3680A3B2BB420F914A21D1C2A560,SHA256=FDE3B4237B0960E1E6CAD97D04AC74D19014B77544209497B9A1D20D43BC3DE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686738Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:42.960{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5F58685049149FAAE586EA6F402C351,SHA256=EF04F711C4A45C48759DE4F021D6B63A192160188800618F72C6B1EA05164E3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625962Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:42.550{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29B3235AC8470793EB3A849662E40BE5,SHA256=5D457CD6E14483CD8AF1EE722975353B72B3730B51E71557A55443034CB3BE0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686737Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:42.160{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1941706717B7E46D77705C6DA572208,SHA256=8F8EB1B08E6D64408D3D94280EE1239A6CBAC4C5C56B92B34384E5BF613DAFA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000625961Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:38.971{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51749-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000686740Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:43.976{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=737388547B4B3E46B749606BC8CC72D7,SHA256=5BA612FDDFE8AD0BBB940F8E3C3C18FFE7DE81E11C538CB63354CFE34389BA4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625963Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:43.551{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A2C0BF7AE04DDADA249D38F06E096BF,SHA256=7DEEAD11438DB859B11C6059AD976490A13C8508095CB4006351502BF3A348D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686739Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:43.257{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE1BD85E7C59A5B037E4617AD116DD78,SHA256=3F5CC30089E71460DFB5506750259005479FAF62811C5585B53407FF0A8EFF0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625964Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:44.582{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0036381813B7F96E67132D22042C2A79,SHA256=804D842E43DFAC1E059FBCBFDA38B4244F7F27C2657D97F01DD87C454DDE13E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686741Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:44.382{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A07F8E6988149FEB5CB98F4D32456B9,SHA256=6BEC6A703B79E76BF87E00C0FA57AA9B1F4F6E5E7CFDFBC28FBECC4D9DF9E6C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625965Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:45.598{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=922FF692B31902764FFF69801EC77687,SHA256=1891783254A71BF32BE3449775165E6B67DC323D79A5DF2105F302B81EB9CB6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686743Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:45.663{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DB4D92673845D5FBC11A3E2AB7FD950,SHA256=FFE593C0233B852CA66E759CE25E12118BFE89DFD2F4F0F595E1BF825B66CB52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686742Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:45.210{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F13A75970826C224E1222BCEE35D554,SHA256=A95E95DFFBD55C725897B10A20F414CA7919999699CBE884EEE456A8B6D49A6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625976Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:46.613{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=228D301ED2EE295B92F45F80CAA64844,SHA256=3F70F386828A14EF96013C9DD75024F4361F700F054788618AF997AD41DB4AF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686744Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:46.257{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03B20778518A666B5609B4075E99F08C,SHA256=AAB4DAE97A1AB3FD8C4E4DEBB892DD9F1065234011DB95F3C31E1C1078D705EC,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000625975Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 16:31:46.457{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000625974Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 16:31:46.457{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x09f5e197) 13241300x8000000000000000625973Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 16:31:46.457{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7588d-0x8ffa84a0) 13241300x8000000000000000625972Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 16:31:46.457{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d75895-0xf1beeca0) 13241300x8000000000000000625971Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 16:31:46.457{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7589e-0x538354a0) 13241300x8000000000000000625970Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 16:31:46.457{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000625969Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 16:31:46.457{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x09f5e197) 13241300x8000000000000000625968Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 16:31:46.457{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7588d-0x8ffa84a0) 13241300x8000000000000000625967Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 16:31:46.457{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d75895-0xf1beeca0) 13241300x8000000000000000625966Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-SetValue2021-06-03 16:31:46.457{97C2ED32-772F-60B6-0B00-00000000C501}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7589e-0x538354a0) 10341000x8000000000000000625988Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:47.816{97C2ED32-03F3-60B9-705D-00000000C501}7403228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625987Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:47.676{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-03F3-60B9-705D-00000000C501}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625986Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:47.676{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625985Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:47.676{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625984Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:47.676{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625983Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:47.676{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625982Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:47.676{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-03F3-60B9-705D-00000000C501}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625981Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:47.676{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-03F3-60B9-705D-00000000C501}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625980Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:47.677{97C2ED32-03F3-60B9-705D-00000000C501}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000625979Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:47.629{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DA8DA2B298BD44C4C56912EB87A4E41,SHA256=4A1125F447C9464710EAC2DCF9C0BE2C457A679F8C04E87352B2A012A961E19D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686747Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:47.288{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA1FF52EBE31E5CDFA30452F01B5FA60,SHA256=3453A2F6E44C96E67F4CD9336254412E7F54F10336FD2613CDCD5BF8803462E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625978Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:47.223{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=624029A977F5C4E0FB985C385B40A68C,SHA256=72BC1316BD781955C31A28E1E69D81DF53173CE7715B5F85E30B40307F788F10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625977Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:47.223{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15B69F0B2FA853EB7A78A9758E43D5A5,SHA256=B5B9C928D914E3CC58E4445B95BB2BEE8A22D39F82B6D0DDA8B3B7ECBB115501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686746Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:47.085{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFE4205F71B771FEC494B95629672D1D,SHA256=229118F03C7B766AA31A7A65E78A461E62D8ABFF2F1C4CE406981B17B6B7F755,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686745Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:42.491{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64481-false10.0.1.12-8000- 23542300x8000000000000000626000Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:48.676{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=624029A977F5C4E0FB985C385B40A68C,SHA256=72BC1316BD781955C31A28E1E69D81DF53173CE7715B5F85E30B40307F788F10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000625999Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:48.629{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1463AB594029709397C7569627A3A5D,SHA256=08DF9783917DD3C428508AEEA78CD9100AAB204C44F2B414022C9904A89CF504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686749Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:48.351{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=799630DD3BC12AA49619626FB3788B97,SHA256=A288A699CE63A0299D80331AB1AE5D77C9E8CF56A1124FCB8B956052E6F94EDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686748Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:48.351{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C087C076BF3E3697F6D15338D868FF6,SHA256=74E8CA151D3937D7FAE1E2F57DAB0DBEF78CE2E8D7748354D4F994BD0534166A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000625998Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:48.504{97C2ED32-03F4-60B9-715D-00000000C501}59004112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000625997Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:44.913{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51750-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000625996Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:48.348{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-03F4-60B9-715D-00000000C501}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625995Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:48.348{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625994Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:48.348{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625993Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:48.348{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625992Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:48.348{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625991Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:48.348{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-03F4-60B9-715D-00000000C501}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000625990Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:48.348{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-03F4-60B9-715D-00000000C501}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000625989Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:48.348{97C2ED32-03F4-60B9-715D-00000000C501}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000686751Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:49.663{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B3FDC34399EC2A01534A73C49E1AD8B,SHA256=9B2C38BF4383FD6C82FFF55542F1243357EA74ABAEA8A532510E14D118EE6E87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686750Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:49.382{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B662847880673AA72F20F9E0717459F,SHA256=DE2CF7DDBB317D07524181C8B06ABAC00C8D73D4C2437931A34F5FB07D798B8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000626018Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:49.691{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-03F5-60B9-735D-00000000C501}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000626017Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:49.691{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000626016Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:49.691{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000626015Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:49.691{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000626014Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:49.691{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000626013Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:49.691{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-03F5-60B9-735D-00000000C501}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000626012Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:49.691{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-03F5-60B9-735D-00000000C501}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000626011Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:49.692{97C2ED32-03F5-60B9-735D-00000000C501}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000626010Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:49.645{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B75F62E5DA610B878C9A7BF499878D0B,SHA256=3A91EDCCEFEEAD82E4A5017BA1FA4F007EE4650D1A42CBF383BB76523447255C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000626009Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:49.145{97C2ED32-03F5-60B9-725D-00000000C501}35324576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000626008Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:49.020{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-03F5-60B9-725D-00000000C501}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000626007Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:49.020{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000626006Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:49.020{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000626005Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:49.020{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000626004Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:49.020{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000626003Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:49.020{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-03F5-60B9-725D-00000000C501}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000626002Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:49.020{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-03F5-60B9-725D-00000000C501}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000626001Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:49.020{97C2ED32-03F5-60B9-725D-00000000C501}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000686753Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:50.710{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1018713C2785B958597BAC8141C04DB0,SHA256=B604FE85EB4DD9AF6B375A2BE2D8E59FF3AF39188125A1E8F34469401FA7B541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686752Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:50.413{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F52FD767A8B6D293EB795E86C885D6FD,SHA256=AF8EF41DA01D55F258013B41109BF0A8F91BBC52A3686DE39616AF200F33C5D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000626036Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:50.957{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-03F6-60B9-755D-00000000C501}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000626035Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:50.957{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000626034Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:50.957{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000626033Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:50.957{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000626032Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:50.957{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000626031Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:50.957{97C2ED32-772E-60B6-0500-00000000C501}408992C:\Windows\system32\csrss.exe{97C2ED32-03F6-60B9-755D-00000000C501}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000626030Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:50.957{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-03F6-60B9-755D-00000000C501}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000626029Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:50.958{97C2ED32-03F6-60B9-755D-00000000C501}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000626028Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:50.645{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6603CEE7D53234115CBF9C5E3A1BFAB6,SHA256=4278D49C99DDE29E0AA7FE7E989ADCFE90C3F5584E69E7A76C351D474776A74D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000626027Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:50.348{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-EB80-60B8-105A-00000000C501}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000626026Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:50.348{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000626025Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:50.348{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000626024Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:50.348{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000626023Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:50.348{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000626022Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:50.348{97C2ED32-772E-60B6-0500-00000000C501}408528C:\Windows\system32\csrss.exe{97C2ED32-EB80-60B8-105A-00000000C501}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000626021Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:50.348{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-EB80-60B8-105A-00000000C501}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000626020Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:50.349{97C2ED32-03F6-60B9-745D-00000000C501}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000626019Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:50.254{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B64638BD49B457DF9DE71CC897B23ED,SHA256=0F804F8240F60447A91D946C128AB5A7BC3CD9E41CB74C91606721D8ED3CD16C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000626047Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:51.770{97C2ED32-03F7-60B9-765D-00000000C501}1043168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000626046Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:51.707{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34D128985A9F83190A1801D2E6928C50,SHA256=10814AB2D9B240B7BF1DE26E20469DE5130E2FB97E7B01313D19809D55093999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686755Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:51.835{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D64BABC65C5DB24A34B662F73B5DF86A,SHA256=A7D3202A4A55472C4C87FCCCA9D2E42C042756126D633258848C857C3A0D58DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686754Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:51.460{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AAE3B27CEA9061B7B94CB455A2E5C31,SHA256=0ECD04A3C796954FCA24BD3800E6AB0E7800A2966C65B3EA4080FF5FEB67CDBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000626045Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:51.629{97C2ED32-787E-60B6-C400-00000000C501}31603908C:\Windows\system32\conhost.exe{97C2ED32-03F7-60B9-765D-00000000C501}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000626044Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:51.629{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000626043Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:51.629{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000626042Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:51.629{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000626041Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:51.629{97C2ED32-772F-60B6-0C00-00000000C501}7241868C:\Windows\system32\svchost.exe{97C2ED32-7730-60B6-1E00-00000000C501}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000626040Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:51.629{97C2ED32-772E-60B6-0500-00000000C501}408424C:\Windows\system32\csrss.exe{97C2ED32-03F7-60B9-765D-00000000C501}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000626039Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:51.629{97C2ED32-787E-60B6-C000-00000000C501}33362836C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{97C2ED32-03F7-60B9-765D-00000000C501}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000626038Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:51.630{97C2ED32-03F7-60B9-765D-00000000C501}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{97C2ED32-772F-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000626037Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:51.441{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=117B8B069388A70A187B258D48C98CBC,SHA256=B988BF38CD073BB0F2F070A940D9E4FB336B1FF307C62155777ECDCE4A7DF1EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626050Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:52.754{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=627D64595A342EB6EC8ABB8C3AEEF80F,SHA256=D424660792A61FAC56524F2CDF8AB21218F320947EB2C070A572DBB760A29791,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626049Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:52.723{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E2103012DB03594F68B2C54B900A46,SHA256=ED0F068D170D3C95903B3278117E5A67B606CB0988EE522BABF91004A8A94C5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686757Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:52.476{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=004D7DE230C713A3F94E7FEAE07751EF,SHA256=B809388CEC54CC9C4EB3AB1C1228E0FAD39A0F2131E15FAFB121A0FCC2D5A3BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000626048Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:49.944{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51751-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000686756Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:47.663{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64482-false10.0.1.12-8000- 23542300x8000000000000000626051Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:53.738{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6033C5F670E670786C0AF4773D8F26C1,SHA256=D997E7EE168EAF6716B6275712857928C4324CFE55576EDB825EF14B7337C21D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686759Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:53.507{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1935FB1C5944E79DF10F7E5941356A1D,SHA256=CCFB5E36EBC54B217FC1B1798685A38DB3004CC477B9ECED57EF24C3E74C4597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686758Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:53.007{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57280E153C99A2E6C5791E53E4AF52EC,SHA256=BA09D09EF81410AC57524C099359CA5EFDB6CDD2734AE559BC379D04E204D0B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626052Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:54.754{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49D7C40D40CDE2066AC8855F5CD654DC,SHA256=B156FB643B4EA8F9883668130CA1FEC49AB67A7DB95879BA8780DE88B2D76E20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686761Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:54.538{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67AC4C09335E01C435704C1BFD9CEC6B,SHA256=9BDB0937B34FBA34798D850BF9C0FB37E959149F05D5651705294CAE80148631,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686760Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:54.210{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=043F3B4FE36C39CAC06C4EA9492F3728,SHA256=25A34D9F979ABE197E8A303C3E2C924466D76894331937E35980E28D2FBA0868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626053Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:55.785{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F98C38EE5839C625BE00385033C45A54,SHA256=AB53C9FBD9441118280D29039C7EDDA86C61044A733C8B9607981CA0FFB83D0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686763Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:55.710{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47D094553B1DCC73BF09052943E14101,SHA256=4A013DF1E369B1018395634DC18CE941C9D0D93E226B5E7F45BF02AF7D8435BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686762Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:55.554{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F153A81F846905E41E17C2DEC0477BC,SHA256=06EA01E85484675DFDE31554632D008275BE1B5D778E7867AF64576FC4332835,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626054Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:56.816{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A98ADFC51062CA5E80350B4511E074A,SHA256=5AEA3EEC66918D26ED6BB15C0C78DC763789E045CA28BEF54F45CB7CA7CDEDEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686765Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:56.867{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C61DD5B7D36BDCAA46D212A53BD0867,SHA256=750970E4E311A523C7C24872F3469C8F5499CEBAC12DBBC8025B9E0F762697F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686764Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:56.570{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AA3398AA2157D8167DE2C8EC6462747,SHA256=4F309E5B08B8190F32F2A88715068E18576B69E83DD08C982596EE6D784161DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626056Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:57.832{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2A68D66D33C5F0F56B13D84676DA1E9,SHA256=1E8AC51494A995C6271283DF9313D57A553251A5870697F8FA6EC5AA5A950C6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686766Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:57.585{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72C439A548E40211C01169BA594BDD0C,SHA256=7A3D966E3D43B9C678CCE874813246B7B65174C395C42B70BDA5AE8EAF019D72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626055Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:57.160{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C34EC88762987751580B9FCE44622A5,SHA256=2ED585D6F96F416A85732997A4B2D107163FFBF05266D7D5B3ED02CE3163D08C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626058Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:58.863{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F85930005A9736527E6B67A2BCC73710,SHA256=7DC1BDED40B137794121443F5CA5EFA37C657572D1E7FDF7AB539156AABDCE54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686769Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:58.601{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7402998AFAF4C7135122994B9E74FF3B,SHA256=14CC55307F13E3D004D72A22658B2BD219E5801A8324E8B7735319E988ADDB37,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000626057Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:55.007{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51752-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000686768Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:53.616{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64483-false10.0.1.12-8000- 23542300x8000000000000000686767Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:58.226{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F0D1C14D2C5A22C94A47C5BE43D5D85,SHA256=5537B02E467AA3AEDBA1710B3E5927B47300FF155FE4FB35CDF46FB2ED416E9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626059Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:59.863{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8244F3F95B77793CFBFA04ABF79ABB80,SHA256=0165845504255109DCA35E3B63D754249857F0C271DF98BAF2A69E8698C0A5CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686771Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:59.617{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAA62E343AC70464CD58283670861650,SHA256=879B2F3DCAA5157D84BC698CF271931BCDDFAE788DAAE3E0E6BC79B82F7C21FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686770Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:59.288{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2DF7828D1AA24D45FFF753BBE8E0DCE,SHA256=33843F0F7D8B6DD6D3445FC6A0D2FE76376D1E4C5F0DDE5C1E2D16FC8ED5C060,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626061Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:00.910{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73FA4F6868F6EF4DC770A4E26E54576F,SHA256=3AF3CCF60300DBD8D1E15C98D4141BDB861CA011FA9615BA9C774701EDADB400,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686773Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:00.632{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E42B2F7A74EC59B8141B24C1D00E0CAC,SHA256=EF0C5830EECD2926B129515DD4AC150C8F2CBA0D16E0CEED1E304489C8F2DF81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626060Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:00.816{97C2ED32-787E-60B6-C000-00000000C501}3336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=B35B59F6A5DC39257080ED0A500328DD,SHA256=67DD3727985A06BFC803E8029C55F1F60FAAAED5D5B6DBAE397678FE75367CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686772Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:00.554{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B17952ED9AE0E74232A7AF6D0413B707,SHA256=B927FDE4424B2C7B609C8F0FA4C292A9AA2F190354245CDE8ADA6EE1727DE801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686775Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:01.804{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F918AE65EB67F917801321D8D6E5E24B,SHA256=8649B43BF67EE3633E26B44A509568F3CFD0E0CAADF43AF354426D897DE9FC07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686774Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:01.648{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75834101AAF78C78284A131B9612B172,SHA256=C0E9087A29DCD984985CE1542ED95F9E75C378B6B5D67A347254221D8E6867C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626063Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:01.941{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80A6AA8EA9538E391E616DF6EAF9E3AE,SHA256=1563A665E91A590575F00B8794A61543404BF5F98E921ACFBBCF56FAD9B23A1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626062Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:01.910{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C1903EC950DB554131DB56ED30BABF9,SHA256=7E2B250926066D8E4A79D446551913E46AF2163A6B00E41599F2D42C88F4E825,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686777Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:02.928{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1064CDCCE51173A1DEA9C6EA11FFFE5A,SHA256=78F223886836FE27507ED70330699D4D2CB2601E6492E7C220987FB1FC8CAB7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686776Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:02.663{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=107062A348B36CD607282240CD66D50E,SHA256=7AC7B1AA0407A0C67E63F492F90C99DEE5670A1C7424B2001AC72EE149A86C0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626066Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:02.955{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=655C30AD099EDE600D39699710C1DF16,SHA256=C8B5384556C69FFB64DC3FF1DFDB10CBF0361109FDC131E6A079ECCCEE98DECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626065Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:02.908{97C2ED32-772F-60B6-1000-00000000C501}976NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=69E6A20BF8AC13B67B7A89F45A80BA08,SHA256=5D5018AACE0EF2461DB245A205D5B727C750EAD9064549675A9E262C6D0674B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000626064Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:31:59.663{97C2ED32-787E-60B6-C000-00000000C501}3336C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51753-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000626068Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:03.955{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB5D9A657957343EA1D8A0CA3D631204,SHA256=E68BD57EB35D6BC19FD2348E8302F3AEF7E40B030CA9CAAD94C4C78F6A519FE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686786Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:03.850{D419E45B-753F-60B6-2E00-00000000C401}3052NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=23C50212CE825B52C2394C55ED17EB59,SHA256=67E9461D9C6CBFBB0423BF9C6998AFF7C197D3B1192E0A7CEA1F3FD3F5D563BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686785Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:31:59.616{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64484-false10.0.1.12-8000- 23542300x8000000000000000686784Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:03.678{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D7153E594E6268512A6B3A6657EFFD8,SHA256=3E78AD6D57E942F8E3AEE983D6E11648210FAF1D927833E45843DC06F13AEBCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686783Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:03.194{D419E45B-78A4-60B6-BF02-00000000C401}39764344C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686782Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:03.194{D419E45B-78A4-60B6-BF02-00000000C401}39764344C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-EF0A-00000000C401}3200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686781Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:03.194{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686780Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:03.194{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686779Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:03.194{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686778Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:03.194{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-A18D-60B6-F00A-00000000C401}1132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000626067Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:03.221{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5435D6CC087367B641DFA4843B4BB759,SHA256=3A5C5A481AB0A773A55CDF08BFAA2D22DA263F59BC476CA09A9C418C136D1D06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626070Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:04.955{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18583229C4C114E4B286C1D712EED092,SHA256=7A1B1256B92C96E6B3A96DF58CB9B70313544B54DB307752FD5D6B44DB7438AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686794Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:04.694{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=253FC99D1B4F7C90C2B04EBCC5708FB6,SHA256=574F6521CA74129856235E1F40F96274E1CD612E166675C92CD2C2BC81D95DCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000626069Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:00.976{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51754-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000686793Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:04.147{D419E45B-78A4-60B6-BF02-00000000C401}39764344C:\Windows\Explorer.EXE{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+15d19|C:\Windows\System32\SHELL32.dll+b1b50|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686792Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:04.147{D419E45B-78A4-60B6-BF02-00000000C401}39764344C:\Windows\Explorer.EXE{D419E45B-0167-60B9-A852-00000000C401}352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b3057|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd5f|C:\Windows\System32\windows.storage.dll+13aaeb|C:\Windows\System32\windows.storage.dll+13900f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686791Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:04.131{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-0167-60B9-A952-00000000C401}7032C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b13af|C:\Windows\System32\SHELL32.dll+b2af0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686790Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:04.131{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-0167-60B9-A952-00000000C401}7032C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+981b0|C:\Windows\System32\SHELL32.dll+b2aac|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686789Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:04.131{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-0167-60B9-A952-00000000C401}7032C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b1604|C:\Windows\System32\SHELL32.dll+b2a80|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686788Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:04.131{D419E45B-78A4-60B6-BF02-00000000C401}39765872C:\Windows\Explorer.EXE{D419E45B-0167-60B9-A952-00000000C401}7032C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000686787Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:04.100{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33898B8C36EB61A7B1224C7DEFB5646F,SHA256=734934E116CC7F619E4B95404FCC34081F8345540681B240808495A05DE8E1B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626071Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:05.971{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89BCA515D9B294D85FB6B1A75D4BC726,SHA256=695A85E7EE57630F2A4DA4223E960F0122C8EF654B5C8BB5D808BCE401135765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686797Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:05.710{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A05CF7F4DA0AB15DD649226D8CB3BF6,SHA256=98BCA7A7236A901BE947E8DB8A78F2981D8EABBED5EB021F96E504BF3B9E2489,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686796Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:01.256{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64485-false10.0.1.12-8089- 23542300x8000000000000000686795Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:05.210{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=579CBDD72D7E35A42F60764F008DFAEA,SHA256=349DFB28286374F7B3F9465DFA847F2E7820A8D9986C5E1B99777A642976A245,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686799Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:06.725{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66B12F98CAC0B793F4C06E69B48D8C5A,SHA256=87EDC349F480185BBC439BEDABEC4AF047202AF0891E23586D7C1EAF17F5A9EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626072Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:06.987{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4D1FF0EAE9DB6AC1C31F7AC8AE5CC2E,SHA256=DE912BBD2FCF1E8D251E1685C96F4A5FE395D49FDA00F6EA86A8A98109B1AE79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686798Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:06.460{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9542B564B2F7E740EA3DD4BB91341997,SHA256=6BA26E6AEBC01F631C655BB5AF8927BD2009DCFF169AB012999D2A594B127528,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686803Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:07.944{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15C988BE2016126C1E26D6A5B9F7230D,SHA256=36CCAEB1BA00F9BA7B72BE4805DC8D8D1EA53E3DA5EA13F76D817DC2E4C8008A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686802Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:07.772{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D2F97985AC9942794ACDFAC34ECEBAB,SHA256=C0E949AB22D041D914CB02402F6262AE962976791C313303570FC44848E8F122,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686801Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:03.256{D419E45B-752D-60B6-0B00-00000000C401}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local64486-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 354300x8000000000000000686800Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:03.256{D419E45B-753F-60B6-2D00-00000000C401}3028C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-233.attackrange.local64486-true0:0:0:0:0:0:0:1win-dc-233.attackrange.local389ldap 23542300x8000000000000000686804Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:08.788{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED8B0AE1185353EF63B490FD99A8F59B,SHA256=2EA25900B9BC59DD470F1B484E5BFB14790BD7D04F5EFD9E18BAE77BC3D40F1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000626076Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:06.099{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51755-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000626075Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:08.362{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89D4329AB6F530C32474D437F5CE1E43,SHA256=1290DCF10C2999E13A30073DA1B285BDF8252F7ACF62B38067F54066A4DFE637,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626074Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:08.362{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD5112D17D10AFE36337485525CEDFEE,SHA256=F35BE8F3C0A94F42475F34FAE19D17179698564980D4988A45C156D5598BDF6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626073Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:08.002{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD92136E64DB707AFF53405A734B37FF,SHA256=920EB4B4261B6D4BE0223DA13234FB858D850821FCDDE33342B942FAC4DF41C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686806Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:09.803{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F059D8D4049BA01027D22D0D371CEA5,SHA256=22B7D7C3C1F6D209A93DD930A4A94F6AD119BAF0590FE785C277905749173316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626077Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:09.018{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ACDB0A166760B48EEBFF22B688C9693,SHA256=65C1FE0DE0A318580406DD05D9099C2A17B8DC9A513EE5B2A7451B1A1AF801B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686805Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:09.100{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F33D5F58EF91E6D65E0364A644FD4D12,SHA256=78CB9B80D96DCC50ADE3543220329965C1AF70174D71B8BB634B1C17DAB1BA1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686809Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:10.897{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C85AD826EE66B3529E211CCFDEEB46E4,SHA256=2A09B4775D6190DA54D541590A9C682E27E14989816DBB954C1F5C890989479B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626078Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:10.018{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB3A555FAB9061829526DDFEF8249AFF,SHA256=C095DA2E179813599AE12ADFC39E90F6F8F09BF4675F207EBE0F3277805C2C61,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686808Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:05.475{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64487-false10.0.1.12-8000- 23542300x8000000000000000686807Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:10.225{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF806D4353D4B8A38456BBA375BAA19E,SHA256=0866A948C42104F423E73CB82A426C69197068B97118BD033BF62A719F467D2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686811Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:11.975{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49F3E168177167BEFA4949193FC4CD50,SHA256=1D791DBDEEAE47DCB4EF81139015993DDA9D17B4AB5B215781AED68DAA7C9993,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626079Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:11.018{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E334266279E60A1E2A3547D0FC97F2FD,SHA256=B954D57E59C251D2DB2CF72E65C09567AF4B5250475277677C32B8298AE995BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686810Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:11.475{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61CF5CFD8857D5F6CCE8CB5E98CD53C6,SHA256=F59C0224C2B52D3494C5AC4BA1972499F6E049A58F7BBAAEC89A21A74599A2A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686813Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:12.975{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C903EBD4C09CDA061357283CD614A2F,SHA256=DE3B7B8E7858B01F174C5861508183B2782F6711FFB59E81A1E66A24D528B9F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626080Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:12.030{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C48D402EEF62C93220B62238B9FB92C0,SHA256=95C9298D6CC56C1816801C6A8F6EF2DD495F582A919C04A4CD52D2EE9F4FB1F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686812Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:12.866{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A184B2EB36D5CA52B2F044A8411768B6,SHA256=E405BFD38061EDFAAEE66930D7DC66C217A4BD7190D1A3E6BEAFC985B5BC1D6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686830Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:13.913{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-040D-60B9-1053-00000000C401}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686829Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:13.897{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686828Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:13.897{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686827Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:13.897{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686826Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:13.897{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686825Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:13.897{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-040D-60B9-1053-00000000C401}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686824Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:13.897{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-040D-60B9-1053-00000000C401}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000686823Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:13.898{D419E45B-040D-60B9-1053-00000000C401}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000686822Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:13.413{D419E45B-040D-60B9-0F53-00000000C401}49486584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686821Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:13.225{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-040D-60B9-0F53-00000000C401}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686820Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:13.225{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686819Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:13.225{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686818Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:13.225{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686817Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:13.225{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-040D-60B9-0F53-00000000C401}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686816Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:13.225{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686815Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:13.225{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-040D-60B9-0F53-00000000C401}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000686814Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:13.210{D419E45B-040D-60B9-0F53-00000000C401}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000626081Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:13.048{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=336D42AD2655A435DE14287111E7ABFF,SHA256=CEE1D3309AF837A1D6593B71DF55DD60AA880413ADB521420DBE79BF637E89AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686843Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:14.992{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9BCB983A7A0DF7850D63AF2392CE795,SHA256=893FE151FAF963CA7917C315EBE0923755AB34E47CBF62761DAC2540AD9EB4D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686842Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:14.726{D419E45B-040E-60B9-1153-00000000C401}68205180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686841Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:14.586{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-040E-60B9-1153-00000000C401}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686840Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:14.570{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686839Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:14.570{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686838Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:14.570{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686837Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:14.570{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686836Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:14.570{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-040E-60B9-1153-00000000C401}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686835Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:14.570{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-040E-60B9-1153-00000000C401}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000686834Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:14.571{D419E45B-040E-60B9-1153-00000000C401}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000686833Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:14.351{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4642B65A60A39EEC5407F1F6412AA60,SHA256=A29C8C8752D69038F67F10032DBA64269AE8BE6B719E12D76756FC226837E572,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686832Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:14.100{D419E45B-040D-60B9-1053-00000000C401}31285412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000686831Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:13.991{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C34655FD5BFA3F70664E6160CD07F32,SHA256=A43AB93F38734CDE05ACB963767C70DE894CAD7B5C426F7517B42E2136EF9778,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000626085Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:11.863{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51756-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000626084Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:14.048{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6141B2624B599D0AD44AA23B9D188A3C,SHA256=DFA737601FAB01175E3BB5AC38B8CFECE2B418076B18E2DBA7143DDCFEE9E4FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626083Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:14.001{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98B3C9EEE4238FFEB42EB13FC7C55C5C,SHA256=05E1C3BAF417D15082BDB7DEE1A72939DF4604A0D47AFFE412415A2A197EEB5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626082Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:14.001{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89D4329AB6F530C32474D437F5CE1E43,SHA256=1290DCF10C2999E13A30073DA1B285BDF8252F7ACF62B38067F54066A4DFE637,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626086Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:15.079{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4955D3FD6AD08D87D752C04941972548,SHA256=D34CB855CC84250E7A36001A02591E116FCEC466A8B07EA48B2AB703CBAB7E4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686862Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:15.912{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-040F-60B9-1353-00000000C401}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686861Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:15.912{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686860Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:15.912{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686859Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:15.912{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686858Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:15.912{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686857Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:15.912{D419E45B-752D-60B6-0500-00000000C401}412428C:\Windows\system32\csrss.exe{D419E45B-040F-60B9-1353-00000000C401}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686856Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:15.912{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-040F-60B9-1353-00000000C401}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000686855Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:15.912{D419E45B-040F-60B9-1353-00000000C401}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000686854Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:11.461{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64488-false10.0.1.12-8000- 23542300x8000000000000000686853Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:15.537{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B85CDF8D521C0AA13500E77E25C3DDE1,SHA256=6ED4A8946EC49B38A1093B29E4E20016DEC80762072752491DCA6988F43124E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686852Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:15.443{D419E45B-040F-60B9-1253-00000000C401}36162884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686851Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:15.240{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-040F-60B9-1253-00000000C401}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686850Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:15.240{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686849Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:15.240{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686848Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:15.240{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686847Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:15.240{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686846Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:15.240{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-040F-60B9-1253-00000000C401}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686845Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:15.240{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-040F-60B9-1253-00000000C401}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000686844Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:15.241{D419E45B-040F-60B9-1253-00000000C401}3616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000626087Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:16.095{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF5D59498A3043A6723192C2B6264DEA,SHA256=795A5DFF63237E7266CBACC51C59198E68277F1F199717596764B581DDA6F29F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686872Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:16.571{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-0410-60B9-1453-00000000C401}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686871Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:16.556{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686870Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:16.556{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686869Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:16.556{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686868Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:16.556{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686867Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:16.556{D419E45B-752D-60B6-0500-00000000C401}412528C:\Windows\system32\csrss.exe{D419E45B-0410-60B9-1453-00000000C401}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686866Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:16.556{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-0410-60B9-1453-00000000C401}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000686865Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:16.559{D419E45B-0410-60B9-1453-00000000C401}4180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000686864Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:16.556{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=829B4E0BA97D7B87CC832F28B6D865D8,SHA256=4508168CE206D900FC2B1BEC2DB06D2EEF991559FCED40FF98E4761408A75F5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686863Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:16.052{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=693EE68A86E81D14A813AABB3121BFB5,SHA256=619276632A1ED1530F79C52F64B03235562B4A0905A98555A9D503DAB29882AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626088Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:17.095{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E98BC03A3868786A0A1D30407084E191,SHA256=7E1FA4B359BA70F82D15ADFFF96D5EC99A1F3062FE79F957C0F5A5E13DB97E96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686882Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:17.806{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB3E04EBF8B4D11D258DB9F40C1F6588,SHA256=7FB047B21125172615E71EFA46B9467A82F61B761D30B7BE436D4A432EFF5CEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000686881Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:17.196{D419E45B-7541-60B6-3700-00000000C401}34043424C:\Windows\system32\conhost.exe{D419E45B-0411-60B9-1553-00000000C401}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686880Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:17.181{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686879Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:17.181{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686878Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:17.181{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686877Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:17.181{D419E45B-752F-60B6-0C00-00000000C401}8486912C:\Windows\system32\svchost.exe{D419E45B-753F-60B6-2C00-00000000C401}3020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686876Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:17.181{D419E45B-752D-60B6-0500-00000000C401}412388C:\Windows\system32\csrss.exe{D419E45B-0411-60B9-1553-00000000C401}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000686875Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:17.181{D419E45B-753F-60B6-2E00-00000000C401}30523752C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{D419E45B-0411-60B9-1553-00000000C401}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000686874Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:17.182{D419E45B-0411-60B9-1553-00000000C401}7156C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{D419E45B-752D-60B6-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{D419E45B-753F-60B6-2E00-00000000C401}3052C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000686873Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:17.071{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9CFD2ED4B978D88AAF3F48B6DA5E106,SHA256=15F14402F5B869EBEA038FFA3D44BB405C87A1871AD11504D1F0BC3857917ABB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626089Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:18.095{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=480B80E88958DC974A179A6E821F5F19,SHA256=1211981F16188C6A3450961BE8400DA0F1549849BE2CF5EFEEE68C53F3DE8078,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686883Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:18.103{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C254278470A99182B736BBAF98EC244,SHA256=5340182FD79301EB7F5A11B005E529479F87BB7520FBBA1E2C81E44E139C3834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686885Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:19.306{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45430E697601A27137B930EA692C50E2,SHA256=9CD33E43B13F139A1CE003DDC718EB1E9749D0F838FE38E00FDA005D600CCD90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686884Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:19.306{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=627909B931C668C3245F1209DCDB67C7,SHA256=42591EB9C9B4685E7AA4DCCCC51AFAB824F35A86151F4E1FA379E5CA7ED36856,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000626093Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:17.066{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51757-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000626092Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:19.220{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC90180BD51538A8DFB5D8AC63959E16,SHA256=5ECAA699D79A8AD64AECA1FD528088BC2DBE02726EC345AB839D7B5F62A0E554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626091Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:19.220{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98B3C9EEE4238FFEB42EB13FC7C55C5C,SHA256=05E1C3BAF417D15082BDB7DEE1A72939DF4604A0D47AFFE412415A2A197EEB5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626090Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:19.095{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A541E2BE60BA94FB7F98E5C3BB187EA,SHA256=25C5401945E46BC71322A1C02764EB18FE7DB5B062222BD4AF4C281437BE719C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626094Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:20.126{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E073835BF8FB51900A3707EA1298944A,SHA256=433F40BC97880869D4698C37D173097A5309C84C1FCD358B6D43988F7F34D4AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686887Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:20.962{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1CC73628FB3BD52535B4D9635DA1729,SHA256=C52067044C2542F5C800B2EF87645FA2482F4FBCA5CF8F490EDBAD0E2A48CFAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686886Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:20.540{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27B914BD4E12F21BC6DA03D68D62E6A4,SHA256=1FF6C79F6420BFFE58FDC0C00B1DD6CDBFC4BF9C6DBF8880C0AF353E65A55053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686888Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:21.571{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30F29BF6DB79B7B7B901B743C7CF49D8,SHA256=4E43E371012500E66000E118EC811A04FAD6662EE2D025A1747E7EE761BA6E5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626095Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:21.126{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02CC4C757604A6EA239592F0C328BA44,SHA256=69DD761AEF9D9473C6BDF8FD68561F00CA1CC93582193D774F73916F882FBE78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686891Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:22.645{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=979E9EFBC88DE0BAD09913429BB54C5D,SHA256=EEF50C98349D37C6A9FBA7965CB83CB61C197DBAC8E1F71461D991E588B2BAF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626096Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:22.126{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D7B4F17D8A3E71A44EECB02680D52A3,SHA256=9C265BD9243A3CA8AD0031DE379A878F4FBFC786C43519C785D0F3DEF15A1B25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686890Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:22.181{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C20C6A4C294CDF8A1ED08F6B77023A17,SHA256=D480AAD10EF34DCB79023D1FFC24B1E29C0F0F8510B3DDE2762CFC1231EBE5AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686889Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:17.477{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64489-false10.0.1.12-8000- 23542300x8000000000000000686893Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:23.661{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=587372A34D25EFA5C7517031BDC5B1F3,SHA256=86F9C1243BE49EBF4B448353BA5B2AD02B4436420D4BD13058156EF56357785D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626097Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:23.141{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75358CAA43BBE06D9FD07E5BE9569E0D,SHA256=825438AB68D6C2F45EE1DC3B4392C6ED3BD4FF0C4D9978C93BADDDD238ED1655,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686892Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:23.270{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=413E7F65DD559D3FD92831A691477D5B,SHA256=51BED1F65AE7C66E126F0802386784E6C2AE2F1A0CC8540B4AAA99E92CCB395A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686895Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:24.692{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=596784CACD9E4E360D39CBA8A6A09572,SHA256=DCFD1E85483F8D30474875E0414B7B2BEA4A6B092D59EA2733C8666C84D8EA65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626098Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:24.141{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B90D725CBFEF8E19EE0772A3417DAB71,SHA256=E89828476BEC26A67C36EE0F70BD1C88E73A733E54EB33DF0154D7B0A685AA62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686894Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:24.489{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7FA47D0A2BA5087DFB97789FB0FB0B1,SHA256=81B93B6F4CAE14411143B53A3EDB715455B73A6EC6B6703E9349E1BE39944333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686897Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:25.911{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E3475031F389065AB5EB38DA87705D3,SHA256=B0D60A2C6E687EDE6753BB97DF236FEA4D4D2D8EA648D5676EA452D8DB71EA7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626101Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:25.219{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4173F0A9765D15BE0D08264B0F8379F3,SHA256=F4F1D4FA7482DB97879639CF180E64554391B7A05C500FAC48C1A0F03B8447C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626100Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:25.219{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC90180BD51538A8DFB5D8AC63959E16,SHA256=5ECAA699D79A8AD64AECA1FD528088BC2DBE02726EC345AB839D7B5F62A0E554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626099Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:25.157{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1287A4786E722F3D608146E2C5C6D8C8,SHA256=4A447F0945B30FC694F45A6890F0E50B8ABF838C1375128AB4D9CE0905389621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686896Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:25.833{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C71F503200BBE806C318144D9DD2082A,SHA256=ABD364C3FA1288B9FB9DC6104838A31B2E1A426933D44A518DF357562D49AFD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686899Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:26.989{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D69E6FAEF0B053947D706F50EE74E045,SHA256=8B3E9379446253EA88C4F8547F9ABCC090D2B6B13B01DB933CF4541A60F2A2FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686898Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:26.974{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F67149E2E6E28DC0C5B72AC0CC9B5809,SHA256=074C48479069156E78111662784E8993A603F4F1E6B24906EBE488DE27CAA408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626103Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:26.204{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=050D3FA55B318342644935599A93A99D,SHA256=AD08CD1381491BCACBE55EF05E2D0CBCE93EC99FE7FFF33061F3C6E4EE34513E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000626102Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:23.050{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51758-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000626104Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:27.204{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA1CAFB3A65899162DCCAF07978504EB,SHA256=CA214F051D88C3806FD20092375D385C769E4CB030F8F09E46A68B633AF8189B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686900Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:22.520{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64490-false10.0.1.12-8000- 23542300x8000000000000000626105Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:28.204{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=831ABA4D5375E997222B71D0832E82BE,SHA256=F0ACA586EEA20EFA8DE3E6368C66F87540F3ED22C6AC5397FB130577D3FE8B4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686902Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:28.192{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73A0ADE9FE3EE9FB1399B042F70166E0,SHA256=30D890133A76B660D8C58D31ED573DBE089BD0F97069020A58A2C5B5AEFEA27D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686901Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:28.145{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25A724E594CC0E20B4CBB8D490505D43,SHA256=C91C34697E01DDFCF35398970A723468FBDEF85F11283680C2B702069923D01F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686904Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:29.270{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7692E0CADFF906CE72144AEE4912FE6,SHA256=6EEFB4C9F89AA3BE1281CCDADB3BC57565C97D3425050936B0B13EEE77267E7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686903Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:29.239{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=314A6986D5F91AEA28987D0D1CA9F77E,SHA256=F4C66D281AFAC8685592F3BBEAAD34A5289CCD147E5EBF36DE5E735D10A06968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626107Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:29.454{97C2ED32-7730-60B6-1600-00000000C501}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF9f6898f.TMPMD5=50C3F57E9B17DAD0DB73AD4F64FDB6ED,SHA256=86D53DA9ECE564538A00B5F8E963CD8B3B67CB52F8A489C6BC9DE193528D6A7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626106Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:29.219{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB65511FC8763CBB5A3EC9B18032DCFC,SHA256=89C0F83E50EEF32DC32F55E2C8B244C6F9322628DC8B6CC781923028F3F50E17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686906Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:30.396{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDF6E06451A198665C97C7F69078357D,SHA256=47C0DD4CB2AF4F07A4C9867744D57B2C735424961AE180BE43813BC004CF4DAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686905Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:30.239{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D158CA2AD1401DDCABE6E56EFD4BB8ED,SHA256=10016CB6814BB94917CC6098140B5474C726B0206367CDBE2A3BE1F619003254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626110Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:30.985{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=65B2438D653527ADDC580FF82B849567,SHA256=C0F46FA867ADDAD617658F510A00F9036123FAD76BD30F8CD7F951CF005B55A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626109Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:30.985{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=38DD840CCB7569BF0C31E9037331D489,SHA256=5A42D8EEF6538F230E52857094257871432FE3F860116C0BA2B249D84F3C611A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626108Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:30.219{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA40A29B78DF7CB4A2005305C0C7DC8D,SHA256=09E33EFDB0B80FAA89B006DEEAC3874CB720C79EB55BA901D131B868415AAE20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686908Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:31.536{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=653E76A07D79ADA4A5DFBC83244E3856,SHA256=C8BC774631C0CF6715B397377AE5F356826A3B886BB78AA9B154AEFB293EF38F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686907Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:31.458{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=842020182DA2199719CDF5D730173CE8,SHA256=A76A5F4130EBFE6FD1E6B967B7F63A66CBD18CCB5F8F03C05B0B4C716A9DB3AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000626114Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:28.988{97C2ED32-7885-60B6-EE00-00000000C501}3036C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-236.attackrange.local51759-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000626113Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:31.219{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D040348097425C3B54D80B918728D924,SHA256=E0C5249241C6DDA0C461CF1504BDD97B3FABB0AF9FCE569411776608E3B6610D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626112Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:31.141{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C58DBF93103F4E17031DF1DA8F3AEC7D,SHA256=06146102CF49D04913735D94E7AD9756C5AC626A278E50427DCDAC578E73684C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626111Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:31.141{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4173F0A9765D15BE0D08264B0F8379F3,SHA256=F4F1D4FA7482DB97879639CF180E64554391B7A05C500FAC48C1A0F03B8447C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686912Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:32.849{D419E45B-752F-60B6-1300-00000000C401}616NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=48C969D2332C82F00F307AEB11D1C426,SHA256=0D27A0FA9B9161C225C92F43C4799D9BAD7D3BE2E0FE7ED76DFC9E6CCE095965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686911Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:32.677{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=783E5EB931E45A4837D498875653660B,SHA256=9BE613EB2E41062AA7EAA5F08C41B9FDA833212EE02B1822598426ACC3021743,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686910Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:32.474{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD82AC1AE1CC1ED001351BD4E54A3B2E,SHA256=E9ADC2903B0801114D78E79120B1F94258567BE8B72BB9E78C91FA3867F558F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626115Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:32.219{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ED9AD22539DE66D54FEBC114C771100,SHA256=136685F5F8B8DF65746A33325F6FAEF3B7B38D8595B438DC3592205A957044CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000686909Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:27.660{D419E45B-754A-60B6-6C00-00000000C401}3320C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-233.attackrange.local64491-false10.0.1.12-8000- 23542300x8000000000000000686914Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:33.974{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83D320F488689FAEF0A5A68B82554927,SHA256=B7637897D801C2E4E495B4A849ED4943F551A807CBB74D02675D5ED00BAE9CE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000686913Microsoft-Windows-Sysmon/Operationalwin-dc-233.attackrange.local-2021-06-03 16:32:33.536{D419E45B-7552-60B6-7500-00000000C401}2528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C8232AFC15EE7FA6A538D9779A86B15,SHA256=81937FC16020FCEA2684D4CD9282926E37E6C5DC7409054858CE2F7E6AEE764C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000626116Microsoft-Windows-Sysmon/Operationalwin-host-236.attackrange.local-2021-06-03 16:32:33.219{97C2ED32-788B-60B6-F700-00000000C501}3204NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=938A2357BB8EBE31AF67FF2A7FAF2D08,SHA256=F63DA1528E190895D3361AD7A2110828A765E8E06D5A2D74E2E4C8C5E2D15667,IMPHASH=00000000000000000000000000000000falsetrue