354300x8000000000000000670492Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:07.296{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51123-false10.0.1.12-8000- 23542300x8000000000000000670491Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:08.804{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5935DDAA571AE078D48A17893E35BE5F,SHA256=CEA4226FC40B694A86A810BBED9351BE74840813C2EAF969726D242A3A16FC9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571909Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:08.672{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FC490679F24FA49721A4517ABAA612F,SHA256=80435222DDD0CE9DCE4CCCD78AD1EAD07EC42D600DA72201E0F58AF969A2B105,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670493Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:09.818{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A41547B0309BDCE80D54F9EF5B7281FF,SHA256=78E1EB50F25255EA1A557D08D198217E23827723F2CDD6BC6D9EE91C2333A35B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571911Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:09.672{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EE527490B3848550BF74CD410765567,SHA256=C47420DAB93F1CFB779CD5F2AC6374BBD2C811E389C86CDC4F66A5AB78341275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571910Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:09.469{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=65B75C2101C5AEC4EFF324132C52F46B,SHA256=E30E09626129BC2A8F0EA518E2B91BB50C449C9D9D99F5514FC22C2DE3C87345,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670504Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:10.819{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29E18EF79E6EE1B6E53C2021678547C8,SHA256=3309FAC138993962E90DE119DEFCCB8B7EE3CE4EEC6E2CEB3BE3364E46B4381B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571914Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:10.672{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E4DC128B463F65A80C2AEEA212BD971,SHA256=49ABF14D98E3461F273806D7CC8849FD8B4FEAF0C87DA8E3DC149CCBAE1E58D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670503Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:10.120{7B03F3B2-4788-609D-774E-00000000BA01}1036ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\ISE\S-1-5-5-0-27437121\PowerShellISEPipeName_1_ef81047d-3beb-438b-9a37-b80788d920bfMD5=A5EA0AD9260B1550A14CC58D2C39B03D,SHA256=F1B2F662800122BED0FF255693DF89C4487FBDCF453D3524A42D4EC20C3D9C04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670502Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:10.104{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-4788-609D-774E-00000000BA01}1036C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670501Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:10.089{7B03F3B2-31A0-609C-522D-00000000BA01}18764012C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+194dd|C:\Windows\System32\SHELL32.dll+61df0|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670500Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:10.089{7B03F3B2-31A0-609C-522D-00000000BA01}18764012C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670499Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:10.089{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-882D-00000000BA01}6984C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670498Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:10.089{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-882D-00000000BA01}6984C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670497Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:10.089{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-882D-00000000BA01}6984C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670496Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:10.089{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-882D-00000000BA01}6984C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670495Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:10.073{7B03F3B2-D0CA-609A-1400-00000000BA01}10764220C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000670494Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:10.058{7B03F3B2-4788-609D-774E-00000000BA01}1036ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\1036.xmlMD5=5714059E6175AA2BE2D911D4379F98E9,SHA256=264C6878029CE25FF6ED4F8B1DC23FC47E1DCE8FD2D3EE4B31E7066B69968955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571913Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:10.407{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B0C72036F7FF9F4112FA94297406878,SHA256=F808654766B7D0E94E6DD8CA7F9EC46D108DFD14F90AFAAA511B28BF510C9D8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571912Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:10.407{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3347526878DEE4ABBCF82DE10C6EEE0,SHA256=9D47E9830D6E34F17065D558B59F37B87529DFC67B8527DB8A0FE873D8900FF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571916Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:11.688{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE1068E4B0B80C245FD29C851B708D51,SHA256=508F91EF8EB6502627A54BD974DE3C6BFA4CA9BD49277A86A5FA8207AAFEC05A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670512Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:11.835{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD7FED15C307168CAB60C613C46A0D6,SHA256=19F0A82C58C861F9026E3CE416F54A67DDB97DBE87CD241B289D406271668858,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670511Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:11.457{7B03F3B2-31A0-609C-522D-00000000BA01}18764012C:\Windows\Explorer.EXE{7B03F3B2-3953-609D-A54C-00000000BA01}2120C:\Program Files\Git\git-cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+194dd|C:\Windows\System32\SHELL32.dll+61df0|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670510Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:11.457{7B03F3B2-31A0-609C-522D-00000000BA01}18764012C:\Windows\Explorer.EXE{7B03F3B2-3953-609D-A54C-00000000BA01}2120C:\Program Files\Git\git-cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670509Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:11.457{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-3953-609D-A64C-00000000BA01}1904C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670508Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:11.457{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-3953-609D-A64C-00000000BA01}1904C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670507Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:11.457{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-3953-609D-A64C-00000000BA01}1904C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670506Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:11.457{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-3953-609D-A64C-00000000BA01}1904C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000670505Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:11.154{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=396329CB22319760E1E3F261D6A6C233,SHA256=85E512ADCEB0378F1DDA5FD08C56EC1811C5CB6C6F6F7835EF088F6B09D080B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000571915Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:08.851{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52742-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000670519Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:12.855{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFC03B595B6C4246FCB2872D6362DD72,SHA256=4463C9BF3507AB799590240B3267DB1D5AF30098ECCCE650804CA337B5784B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571917Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:12.688{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=187AABD48957806C1A58880FCB491DA1,SHA256=06B2948A94348C8095ECE0F3CEB4DBBC832C0F49E37D824F57FADE1D724751AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670518Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:12.403{7B03F3B2-31A0-609C-522D-00000000BA01}18764012C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+194dd|C:\Windows\System32\SHELL32.dll+61df0|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670517Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:12.403{7B03F3B2-31A0-609C-522D-00000000BA01}18764012C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670516Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:12.403{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-882D-00000000BA01}6984C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670515Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:12.403{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-882D-00000000BA01}6984C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670514Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:12.403{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-882D-00000000BA01}6984C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670513Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:12.403{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-882D-00000000BA01}6984C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000670521Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:13.871{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73E1BD8223C5D7691B46BB41FA2DA0C1,SHA256=9EC95ABAD55A025539BC2B9961F43D4CACB12D32D96E12357EBC437F37199D9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571918Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:13.704{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62F78098EA2E4F7BE9283BDCF34FD0DB,SHA256=E2C6B07F2489E95F79588EE916F5B2A3F1EA499316037862855C7FD6CAAB2EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670520Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:13.103{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B336164CF1B8EBFE19162B99CEA3FF35,SHA256=3274286E3A41E8E1FC19E5D1A784746784BE033BF60FA834260FC44C2DB1AC3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670524Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:14.885{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=816559304BE057D4A3E1ECFB35A9C0BC,SHA256=C47F6DA8CB820BD0DB5C7DB70B0F90B0097CC095A5A9C670CCD80CD73FE7C579,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571919Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:14.719{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DC8CC9FDE8F458EF8F60A1BB2986685,SHA256=C2E6AB84CBA9228BA0AE6BE662FDA680CC01051171F159D44893B4AF0F1CFD4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670523Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:14.502{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=22FA6C2ECAB9C0330F57C46448C19474,SHA256=985C63C49E6C10CAD4E9BE13728D588BD8090B15B4D71DEB019FFAC26C7DFF63,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670522Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:12.334{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51124-false10.0.1.12-8000- 23542300x8000000000000000670525Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:15.888{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B6A143B1903E6CDC43D981ABA5C8932,SHA256=9FA26F7239DC218D93683463BCA8440D2B1E4A6ABA4A5F6ECFC52FA1A24D1AA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571920Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:15.719{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0F49CF2D7290EFF62124ACED1B3E9D1,SHA256=A67DB9580E0773B5CF201F2A3109AA684074D06CDAD9D448A399991F2E2BB749,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670526Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:16.903{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FF6F4346C99ECF217059A3E1BA1B14E,SHA256=BB84B059CAD8DABFD9D5CA5346913D9FA2CD5DEAC4EEBA0AA89F5A207B14E5D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571923Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:16.719{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE355CCEA08E0DA8190975FA4113D456,SHA256=07495B875F6AF97F52709FFAD02D8C1BFB6A6CA4833B47A6A4A3490292653CA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571922Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:16.110{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B441B24E6E724415E1C09888BDBD50B,SHA256=274D5DDC7D33A9FD6FFD6F45C636E8EDC1897A3BA521CB43B558BD298973CAB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571921Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:16.110{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B0C72036F7FF9F4112FA94297406878,SHA256=F808654766B7D0E94E6DD8CA7F9EC46D108DFD14F90AFAAA511B28BF510C9D8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571925Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:17.735{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F8FE9026D293D4773CFD096C134B876,SHA256=5992622225BDBF7C466317869F6BC490A6AAF25EC2191CE49709A8725ED60FAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670527Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:17.934{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FCDD9ED4A436F053FCA86E75F78341E,SHA256=9453D88FB64FDFD64B16F8A230EE69792FAFEAE30F1A0FAE27F8113E402920C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000571924Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:14.710{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52743-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000670530Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:18.935{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DC32ECB8FD1DBD0041647EC574D599E,SHA256=386B2A84C53AEE0371DADF51ED299BB5615444D422513BE7A316C1AAC9B1FB8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571926Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:18.735{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB81D55D8D8FC206CE3F7573D7AF4190,SHA256=34874DDD91D30BE6637ADF99110648E0B7020697FB9EE9DA4F5D41E688E150FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670529Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:18.153{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04D5B28FE07E24A6D6DB473216026BBF,SHA256=5C1FAA8DE9E546394D4CE5A8B1D6E813539E8ECE4129F59C871CAAB6F8F30F4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670528Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:18.152{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DBB5F76D63DECBE0CAE7589E1025FB0,SHA256=27C3B5570B6F0870B20E9D601026A929D1F1E0E1449CD9E5A3EAC5DE031704F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670532Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:19.935{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6E106CAF07C029BB6B7D1FB73BAA2DA,SHA256=299CB3F187168AF0878510F5C3503F7B8D76AF21E0ACF722DF7ADE3E147BBCA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571927Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:19.750{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BFB42572FA3A2589DC3C55D5E774F4A,SHA256=6D63FDD186FCA1217640047581B5ADF9ED528FF11C752EA4B0F824B1A91F9B42,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670531Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:17.349{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51125-false10.0.1.12-8000- 23542300x8000000000000000670533Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:20.952{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=337FC2F693A277FF1655BC913B64F19E,SHA256=607F4B67819AF5320BAFB195993BCB7241AAC8E5F273458A9C14A33A808BB867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571928Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:20.750{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F3FAEAF477632C348950D7E837F151D,SHA256=B47C939D8F4F9375F79E7E96DBE4067AA6D8C75A29CF78BEE4729B70A02B1002,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670534Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:21.971{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD57BC78E6C88693F1F89AC7952D5206,SHA256=95FC5FD4913B95D0ABC0FF8704D9157FFBD80CE1C7F9B062989AEC1E17303BA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571931Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:21.766{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4331A03098958ECC58C3D8BB8C90567C,SHA256=8BDE4461C8EB3769DC0E605F5F82FBE38B65D52B4F56E94755B3357A652DFE16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571930Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:21.329{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64C64A5940F00F0CCA2C9D8D1FD4AF0C,SHA256=6500B185B30EA22F0D0484203A6DCA795CBF7BA8AFD024DCAB8570D52DABF5E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571929Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:21.329{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B441B24E6E724415E1C09888BDBD50B,SHA256=274D5DDC7D33A9FD6FFD6F45C636E8EDC1897A3BA521CB43B558BD298973CAB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571933Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:22.766{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=814CDA3E940E0891D699ADD07A2E4FD9,SHA256=85EC819787111CDAC84D02D02AE623EEAE49462ADA5EF007CA417E104DD0B269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670536Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:22.985{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=432F70D368F67FE0106E40D42374C228,SHA256=A6BE60BA13B0CBC23FDB2F6B80240950C91A08DB917294597DEFF9728DF31560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670535Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:22.271{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04D5B28FE07E24A6D6DB473216026BBF,SHA256=5C1FAA8DE9E546394D4CE5A8B1D6E813539E8ECE4129F59C871CAAB6F8F30F4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000571932Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:19.726{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52744-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000571934Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:23.797{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79BE590E9C9E4BC1D5ECA771B7931D1E,SHA256=A2289BFD829FF1DBFCADCE9C9B1DCDD5992ECFB7556BE0719293E49B184264E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571935Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:24.829{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B1F349C8CE20C4D65CC9BA44444A0AD,SHA256=CB7828D2A367FC2DC3DFF31D28CACBC572F0B2B5B2EB7D031E6FB13117CEE697,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670538Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:22.379{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51126-false10.0.1.12-8000- 23542300x8000000000000000670537Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:24.000{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D35073299745CC8250A76F0125A87CE7,SHA256=58B14657C17D22F973AF6F224C0B454BA1FE6779F22E0EEECF7C6B1C828FFC93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000571950Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:25.938{E1BD9FC2-7F05-609D-E150-00000000BB01}36403432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000571949Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:25.875{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA8E5CBEE60DB078D77658FD626D999,SHA256=98AA1FC023C5FE3EE721C8223810B5BC4BD485F04501B85630CF9C3E02FB0654,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670541Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:25.200{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D65F22600ECCA0F426860C41C6BDC2B6,SHA256=E07B9E8593DA0C0950717AA448716B57D9CACB06BE9E4151C310A380A770F6CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670540Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:25.152{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670539Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:25.000{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6D69EC2D4DC8E1F253600BB06123635,SHA256=5BDC2F0EA5279570C816426C5EECC18265E6EE2A01FC445590ABE539FF25535C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000571948Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:25.813{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7F05-609D-E150-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571947Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:25.813{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571946Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:25.813{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571945Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:25.813{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571944Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:25.813{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571943Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:25.813{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571942Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:25.813{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571941Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:25.813{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571940Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:25.813{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571939Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:25.813{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571938Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:25.813{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-7F05-609D-E150-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000571937Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:25.813{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7F05-609D-E150-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000571936Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:25.814{E1BD9FC2-7F05-609D-E150-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000571979Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.939{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7F06-609D-E350-00000000BB01}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571978Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.939{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571977Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.939{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571976Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.939{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571975Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.939{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571974Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.939{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571973Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.939{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571972Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.939{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571971Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.939{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571970Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.939{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571969Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.939{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-7F06-609D-E350-00000000BB01}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000571968Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.939{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7F06-609D-E350-00000000BB01}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000571967Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.941{E1BD9FC2-7F06-609D-E350-00000000BB01}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000571966Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.892{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24FE622BE8DC917165181F9B1E2C6648,SHA256=915EB21386AFF886100F5275191972BFA92C422A658C3D6F12756C17F2E436AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670544Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:24.431{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51127-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000670543Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:24.431{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51127-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 23542300x8000000000000000670542Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:26.014{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B725A397D082E840F1938F747AEEB3C,SHA256=9D1EB87D30F5505304D7533EB87F4EA7D7C08C78A5B34D9850C3E6AF3D09D744,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000571965Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.314{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7F06-609D-E250-00000000BB01}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571964Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.314{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571963Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.314{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571962Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.314{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571961Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.314{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571960Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.314{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571959Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.314{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571958Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.314{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571957Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.314{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571956Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.314{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571955Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.314{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-7F06-609D-E250-00000000BB01}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000571954Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.314{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7F06-609D-E250-00000000BB01}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000571953Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.315{E1BD9FC2-7F06-609D-E250-00000000BB01}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000571952Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:24.772{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52745-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000571951Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.203{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64C64A5940F00F0CCA2C9D8D1FD4AF0C,SHA256=6500B185B30EA22F0D0484203A6DCA795CBF7BA8AFD024DCAB8570D52DABF5E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571981Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:27.908{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59951FAF0E4A4EC8971DBF1E7E09C1F0,SHA256=896F881A71FD0CFB6856B34EF6C84A9C7956E90735B261A088BA1F00620936B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670555Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:27.667{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=DB650C50234CCBF23C732D3F9192B75E,SHA256=637205BE77DA2D84F69EB16018BAFCD822EEFB98667DD2FD8509B18F0CC275B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670554Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:27.667{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=54083AAF667D5207BB677FC560800F19,SHA256=1E2C60BAEFA2AB8312FBF2BD938DE5668FBAF320B2B0780559C91AC567CEB68B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670553Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:27.667{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=9294C09034F3BD53B05D43D471BD1B1F,SHA256=04D7910538822B972C3AA4D1AC77750D3518A90A5FE30C76A311F6CADDA15B83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670552Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:27.667{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=11F4D2C9B6987D57EE9E05AD6A31659A,SHA256=FCB12CA28F3FA0EB22F4C5F97F39C2A3DEA8A3AA168C6B2386906B423FB5D2C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670551Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:27.667{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=A329AD5F3F4C6559C3E04A5E6C12F2F5,SHA256=91F9CF6ADD8269287B351E2DF789BC3CFB8C2DC42C3FF233D4157F27128A89CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670550Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:27.667{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=BD4E2A69C0B8CC4C0D1634546CD0B47E,SHA256=6C418FAC75968B93C8CB91A820603F61E824ECC0A79BA50BF714F02B6D7C3438,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670549Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:27.667{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=23D7679051045F060FC81EC208C57D73,SHA256=657A4F9874FC08559235D96A5F02BA386B945735F6B76B11C8B1E2917F214781,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670548Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:27.667{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=76C6DB9A1F900F7B46409B43D2684FCC,SHA256=552C760F06C9C365899D3F8CBA7872C6133167B037C0A03027F9E51946492C6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670547Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:25.377{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51128-false10.0.1.12-8089- 23542300x8000000000000000670546Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:27.266{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43C0F711038CCBCD8F8658B33DA3425F,SHA256=6DB3C8D7D089FAB93BBE7CCFAFD6AA8C64C69FD8231532428AB14518E82C7971,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670545Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:27.049{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0D53EFCE4AEDB4CCC66E439ACB5CCE0,SHA256=8088D2F03CA0406EC2F6AE190C9E5445A61B56F8D68C7BFE602205BBC6E821DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571980Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:27.361{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1126368DC18696075CE45AA82E5247C9,SHA256=3D904538775C65429CC60C98505F30AD04B13C5BB77E3227BE0A336D2BF8A1B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571982Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:28.925{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB04BFD750D935FA194F0211D6A44018,SHA256=6FBBB862B39DFFEA52B201160B4BA0C150456FEE2D3DF218AF9D663FE3EC76D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670556Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:28.082{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C20C29D7F0594B1B20F094049A867068,SHA256=1A4CC057D0746CA472029C6A838852ACB7BD9197DB23DFAF26A4C208ACE2CC01,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670559Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:28.412{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51129-false10.0.1.12-8000- 23542300x8000000000000000670558Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:29.181{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C476B4508CB38B8F43250BF5C539ECA,SHA256=37C88568D69809DAD6BA2295511AEC94AE6AAED72D550F3EE4501920B13FAB4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670557Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:29.096{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C71665BD062A84C5E45B054C23067358,SHA256=FC75B9486FA48C53D4E6F5A9A756B2E5BC99F03B5AE55B250F7760E96C89D0BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571983Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:29.739{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670560Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:30.111{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F1A62A466B981957D3223F61DF0FD01,SHA256=CFB49E7DCCD2F319188A29D57A1C626694D66E0A865D4BAEF88CCF76F512C237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571985Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:30.725{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8176AD386DE268A2B5AE80841733D956,SHA256=4E2AC6C9308C2D9E9F3A901CF9E4DC5F4CA102A1927539B01ADAB75AA099F0CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571984Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:30.004{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5BB6D2B2B93CC5977B812F5DFBA1DC4,SHA256=9AA3BC4E5A247175522E4A3087167528B4521F6B034FB433DB8E525180671E83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670561Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:31.126{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8DC7DEAE6597C241C5408B15EA8B0E9,SHA256=2D85FA1D87B8581A29E69BF71716EF088F291BD44ECF4D07C639D344B071BA4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000571987Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:29.354{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52746-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000571986Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:31.037{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1317E1EC6B51936D260E3EF16CCF2FE,SHA256=EE731889486E0F9C2A8D2D52E590AD9AB8B89570BC743F73C1CBB667BCD78F5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000571989Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:29.809{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52747-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000571988Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:32.053{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E9787119CD817AB1209B5D3D29C08C0,SHA256=37DF61083A63A2E0BD64F247EBDE6B953AF31888AA119E97436C8D853EA8BA38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670570Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:32.677{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=12849F636644AF16A7BBE28AC49A6D13,SHA256=96A54A57EF72DE8209AE628B613A71439EC59106907AC9513D558E233E13F1C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670569Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:32.677{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=B24DE056D9BA1C8042D684ADF2AF57D8,SHA256=F05BC097BC7581C7AC0F875A7F93D32AFED90C9EE39465B5B2E3D39F5D3E12E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670568Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:32.677{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=ECA9F6397D91CD8CF550F87429B568E3,SHA256=C55AB820AB3D161F7FEA0FBEE936810319356AFBE14367FFB93FB4F879D247DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670567Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:32.677{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=9CCF2B283D6BE1FBE185F7C980C883F0,SHA256=A8C86C66F0AB705AA0D4A428AE0E4B116883103F70AE51806DE87A6A55ACBA2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670566Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:32.677{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=B8AD46A693DD712EDB8E2F45CBADC882,SHA256=906DAFB87FB63C5E5C941A70009EA960C7FFB84867557C745E0CC4776ECF9BD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670565Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:32.677{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=EA888EFD6E081F4014C4F98C4FFEBE1F,SHA256=9AF9897AC5DF7F18BEC855B203F5484222B5754B026728F3AC8481B84234960E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670564Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:32.677{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=56B9093ABFCF6CF68BFEF07D1CFC6208,SHA256=7493C58070C899444C156C8A7316521A74D476AB288351DB352D8EBA780BEAC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670563Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:32.677{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=B4279EF28559D72A7A837DB5F5300189,SHA256=33E0B5B97BB66543813EC3A0A180F7C28156FDCD0880DDDA16C1A069C84781F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670562Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:32.162{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=374482B2E7FEDA49CB8EE9D514D5A077,SHA256=8C5F0419BDC0C3FF8F717CF11D4220920ABB09EEBF3E97C8962B0FF87D78A481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571990Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:33.068{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39B9E657F1E0808C7CB5231D29B54B36,SHA256=BBAA79C6FFF2A6EBAF2390F5E87AE15BACB157A1A5112482FBF9A4D85E0BF1E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670571Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:33.176{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=639F53E8AB478E103C05FC2978A585B5,SHA256=75BF7C12F18FAB56345C418580081202E041C30CAB22923E20BA3D72AD647F58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670574Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:34.242{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DA92D20A987BF2941EA1EDDD27CCCA7,SHA256=DA92EEB617FFD4CAA1452304394B51966919B608031F136D4079ED6EE3BD6190,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670573Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:34.241{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FF32EAC3A36E81B19D01A99E1363B28,SHA256=CAE209A3F8CFB56A3C485B768F4D2D6D09C2376DDE8B9E7131F9E539DA1E41E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670572Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:34.190{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F8797C023C5F323A6EFF09FF0ED387F,SHA256=85D13FF80F93B3D1F4E8C30D4FE661AF8964ABEF932D66CD568EA94A47E61B68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571991Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:34.084{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A2019F4D423CB9C3BE405C51F2E1D96,SHA256=87A39635CD74AE9C47EF531C371F8EBFBCFF256B65EA6D52D876457028E23EE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670576Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:33.485{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51130-false10.0.1.12-8000- 23542300x8000000000000000670575Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:35.221{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC5C95BEE663CC06D819594810FF49EB,SHA256=85FDB7F23D5B40BC61D1B86389063ECD59F25352926837F3E80B523C701D07F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572020Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.990{E1BD9FC2-7F0F-609D-E550-00000000BB01}25282552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572019Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.865{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7F0F-609D-E550-00000000BB01}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572018Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.865{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572017Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.865{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572016Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.865{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572015Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.865{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572014Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.865{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572013Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.865{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572012Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.865{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572011Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.865{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572010Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.865{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572009Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.865{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-7F0F-609D-E550-00000000BB01}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572008Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.865{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7F0F-609D-E550-00000000BB01}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572007Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.866{E1BD9FC2-7F0F-609D-E550-00000000BB01}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000572006Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.334{E1BD9FC2-7F0F-609D-E450-00000000BB01}2162152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572005Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.193{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7F0F-609D-E450-00000000BB01}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572004Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.193{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572003Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.193{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572002Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.193{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572001Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.193{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572000Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.193{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571999Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.193{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571998Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.193{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571997Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.193{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571996Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.193{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571995Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.193{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-7F0F-609D-E450-00000000BB01}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000571994Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.193{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7F0F-609D-E450-00000000BB01}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000571993Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.194{E1BD9FC2-7F0F-609D-E450-00000000BB01}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000571992Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.115{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=071B3C135BCE47B2ABD85665A07F11C8,SHA256=AC55B069EE0844FF7EC627C904E5A96AA4FB0062D3E307A43F24B2D24D921E81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670577Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:36.239{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA6E6FDB4EF38F36EE456E6634194E02,SHA256=4F107C41D17A74660EB35B083E77096857F73CF12EA08919F64D33119390A57D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572036Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:36.537{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7F10-609D-E650-00000000BB01}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572035Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:36.537{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572034Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:36.537{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572033Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:36.537{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572032Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:36.537{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572031Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:36.537{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572030Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:36.537{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572029Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:36.537{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572028Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:36.537{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572027Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:36.537{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572026Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:36.537{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-7F10-609D-E650-00000000BB01}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572025Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:36.537{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7F10-609D-E650-00000000BB01}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572024Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:36.538{E1BD9FC2-7F10-609D-E650-00000000BB01}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000572023Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:36.334{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E5CDEF255320B97DE632FE7CD506697,SHA256=BB81A5E0F05BB5604AD3B724DA13795F538DC8B92F10927B87B4E48663C33F03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572022Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:36.334{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D683F1D9F3D6A2DC23858493D7B99717,SHA256=764B1C744D69888911BCD484E414B4A3A2F6853A8C5105D971FBCC92FC2FF716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572021Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:36.334{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80755D31A427CCBD28EE6FE9F5823198,SHA256=382E9EDB4E632A4E3F1334CB3A40659DF756613AD23997BB61C6D1214F2E49B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572053Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:37.771{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E5CDEF255320B97DE632FE7CD506697,SHA256=BB81A5E0F05BB5604AD3B724DA13795F538DC8B92F10927B87B4E48663C33F03,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572052Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.700{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52748-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572051Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:37.506{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9671643C7AA19A7722F71A9C52E4FC1,SHA256=21F099AF90CD6D7988D52A07D916049C3374DFB723BE0BB8A493456A34B23F0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670578Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:37.320{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF185CB4E73809E7328BB658046BBF99,SHA256=92FD2F5E3569199950F6C1A90A110A6B7AC59F4121EE9A997ED745E8AC36E52E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572050Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:37.334{E1BD9FC2-7F11-609D-E750-00000000BB01}19641168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572049Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:37.209{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7F11-609D-E750-00000000BB01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572048Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:37.209{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572047Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:37.209{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572046Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:37.209{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572045Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:37.209{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572044Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:37.209{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572043Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:37.209{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572042Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:37.209{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572041Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:37.209{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572040Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:37.209{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572039Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:37.209{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-7F11-609D-E750-00000000BB01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572038Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:37.209{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7F11-609D-E750-00000000BB01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572037Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:37.210{E1BD9FC2-7F11-609D-E750-00000000BB01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000572054Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:38.521{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76534D804672C60629CB4A9EA69E8107,SHA256=7E2E63088E5A5696F3C496355B9DE3899C5E6D400E18AC8794C6F7A7FA5D0C76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670579Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:38.337{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCBFF0044C3A04F8A559F39C08FEADBD,SHA256=EA19693B5071FE4616E6CA694C98438AD94064697B0EEE36C79C428538A0F284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572055Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:39.537{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=018E84AE3A34C1357616C0619192CE32,SHA256=0376B5B5EF6C34CFA18DB8D9260D6E503B69BF87670109A527ECBEF046BD282B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670580Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:39.355{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5723E9E6769BD4706E9ECD29122B59BA,SHA256=E27AC153D979DA6F7F1D7FFBFEE36B0114F6ED4A6FA7E07214444627DE56B9BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572056Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:40.553{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E3119297714CEC0895AFEA9D3A7A4D1,SHA256=E97A64CDA490E4C805F7CBE973006778257C4BE7F347084DA912B44B31E7226F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670584Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:39.301{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51131-false10.0.1.12-8000- 23542300x8000000000000000670583Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:40.385{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=536DADF69FE5F31C4CE269FFDF990782,SHA256=6265EB323EA9F1C5C4B18411AF9DA4CE914929D83BD81B61841DFC4F7624C1F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670582Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:40.085{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85A9A2E773EC9C4EFE63925BA4A0FB42,SHA256=E87EFA792CD704A24DC70D32C9BFCE1F407E59DB26F58472A67A6C336A0645E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670581Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:40.085{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DA92D20A987BF2941EA1EDDD27CCCA7,SHA256=DA92EEB617FFD4CAA1452304394B51966919B608031F136D4079ED6EE3BD6190,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670585Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:41.399{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D89A5106A98A7E26814CF2944352DE2,SHA256=56320E19E08184EDEB9641CDA4AE8C58A3A186EE7B9B4EE67884856865B4C1D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572057Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:41.553{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3B46D37275B435ADAF60C696201F4EE,SHA256=DDF3E8FFF8D63009533C8819EB6930C6D9B35AAD83776A517C783C9BA78B55FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670587Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:42.433{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7EEF9CCB87CE00B8682A6D4840D1A1A,SHA256=BED9770A19E2DC90EBE34E44F4F35AC9E138D67CD6B7C4B8830242F68FF3D601,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572060Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:40.871{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52749-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572059Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:42.568{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A82C283407238130C2A045A1A9299B5D,SHA256=B4EEBF9757DA01C1D8A069F04099FD690063DA45F9F971D42150C33F21DA3DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670586Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:42.268{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85A9A2E773EC9C4EFE63925BA4A0FB42,SHA256=E87EFA792CD704A24DC70D32C9BFCE1F407E59DB26F58472A67A6C336A0645E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572058Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:42.271{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4AFF2F1BE518F213F2CE03808D7AB16,SHA256=F9DD8A3DEE25E648309FBC4D709AF71A212930DADCEC70381501BEC75DC8DAF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572061Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:43.584{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B00FFC99B7A157DB559E04B11F3F1B72,SHA256=0383F4610ADCFB567593227C82B3B3AF03FA04F3E1DD220855DF50B6704FAC69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670588Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:43.451{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C2961E7628FAC3BC728B47D98419E1F,SHA256=19ED94560AC00F0450EBC20D50EB56F498C00320B4F4A9A9849241936B0160A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572062Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:44.631{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=457471183B18953B0B1A139469F723C9,SHA256=5CA736D3F6DD2708D835609E84D8947141CB59D9CFDE0190BEDC8644AE5F1BBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670589Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:44.465{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D1B9F8B2099CD8E24FED35FF4EF6B41,SHA256=B6DFC8883CC10B11FE4508045C3C4C16FD156D4F90EE849128A4933AF68328C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572063Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:45.646{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E3A5F69CC81236115BF750E34DCAC5B,SHA256=1D0F5A9595A52B71D382691A1C7C86CE8D40F01E7E367E36E7789E4F3E286252,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670608Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:44.412{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51132-false10.0.1.12-8000- 10341000x8000000000000000670607Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.634{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7F19-609D-DE55-00000000BA01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670606Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.631{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670605Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.631{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670604Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.631{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670603Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.630{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670602Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.630{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-7F19-609D-DE55-00000000BA01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670601Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.630{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7F19-609D-DE55-00000000BA01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670600Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.630{7B03F3B2-7F19-609D-DE55-00000000BA01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000670599Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.466{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CED4DEFFCF60FFA1055EA56E92ED6832,SHA256=230A3446271027AEEE6EEEF6E48AB85A0FD43141777956F4D9BDBAFFE87BBF25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670598Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.181{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB11D4F050CAF8E9B71E603D934FD8F0,SHA256=B7B5122B381A69FD70733A309946C441CC4C667F3E4C3644EB452716ECCE5B92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670597Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.065{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7F19-609D-DD55-00000000BA01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670596Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.065{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670595Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.065{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670594Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.065{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670593Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.065{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670592Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.065{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-7F19-609D-DD55-00000000BA01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670591Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.065{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7F19-609D-DD55-00000000BA01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670590Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.066{7B03F3B2-7F19-609D-DD55-00000000BA01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000572064Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:46.663{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF8B2D61438A6E0CF94F38ABE664A815,SHA256=78B4DA75C960480D448FBFE9EDFFBA8A28765AF4B07489EFF4C3DC19A2981755,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670619Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:46.481{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB63A23E6BD31AF2B9E0C01255AE841,SHA256=CA8EDD1ED4017C9E24681211CD4700E72BEB48A6D76BB3198B1061A2EF71FFC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670618Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:46.465{7B03F3B2-7F1A-609D-DF55-00000000BA01}68084024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000670617Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:46.327{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA22F76E379131E7CFAC0EDBEFA83FB4,SHA256=C4A74E65432DAB0536FE286D5F88EE35DF0B1877EEF5689C8E173B0A1ABBB899,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670616Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:46.307{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7F1A-609D-DF55-00000000BA01}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670615Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:46.307{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670614Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:46.307{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670613Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:46.307{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670612Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:46.307{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670611Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:46.307{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-7F1A-609D-DF55-00000000BA01}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670610Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:46.307{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7F1A-609D-DF55-00000000BA01}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670609Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:46.308{7B03F3B2-7F1A-609D-DF55-00000000BA01}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000572065Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:47.679{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10C13A6346C790AC33061CC48F132C6F,SHA256=9C9A1A7AEB82964312F2643EE779225F3E58C49BE0B40863CBC5C7442BF94B35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670638Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.882{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7F1B-609D-E155-00000000BA01}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670637Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.882{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670636Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.882{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670635Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.882{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-7F1B-609D-E155-00000000BA01}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670634Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.882{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670633Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.882{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670632Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.882{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7F1B-609D-E155-00000000BA01}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670631Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.883{7B03F3B2-7F1B-609D-E155-00000000BA01}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000670630Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.482{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5966D9C4DB7824CB9C2191D00F2B20BA,SHA256=89412B8C19FA38EBF117809EA629F9E0BC1138D10F0B441599E08E8D5F1C6ACA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670629Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.398{7B03F3B2-7F1B-609D-E055-00000000BA01}72287868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000670628Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.336{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F02E584BCA129B95DC64F63F8FAFE4B,SHA256=B0FE9CE8A5345CAF74FDB8DC8DEF7CA4058E5E98F4499267B78B956D4D78570E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670627Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.198{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7F1B-609D-E055-00000000BA01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670626Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.198{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670625Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.198{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670624Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.198{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670623Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.198{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670622Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.198{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-7F1B-609D-E055-00000000BA01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670621Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.198{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7F1B-609D-E055-00000000BA01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670620Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.199{7B03F3B2-7F1B-609D-E055-00000000BA01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000572069Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:46.716{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52750-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572068Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:48.694{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C19F691BB28EC3CB432CB5F6053FD1E,SHA256=A1D57238C3E17B0D96F887DF4A05167720E94DEE598FDAE1DEEBDC3398EED15E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670649Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:48.662{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=CA1FD358CFDB9B6086556D4C199BDC11,SHA256=CDD671F28E06F222CCCA992EF5E93B81F70CB2D5B3D65B1DF3E627592279F9BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670648Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:48.662{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=369EE1AC8CA4ACA3F6DFD850E3F661A8,SHA256=270AA68E59057D23007BC819D18DA4399CC6F16404CF71FF86080F988A5B1E11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670647Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:48.662{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=12687E8A93A3A899992CB26BAF1CE4AD,SHA256=FC09C31043FFCAC48997426F63F823BC95A0AC8AC7DA00E62649E49C3E21E64F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670646Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:48.662{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=3C0B1779FFA9A9B8977D89391792930C,SHA256=60954CC76E519EC6CA4BECDE5B0BB728174B8108FB6DC7FDC3C042CBE13E9E75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670645Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:48.662{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=B45BE1B57F89C0F7AA48AE4F7A5CD3DA,SHA256=B2DFC9699A6EEFFC71E4B790EED49A973AC05AAA0EBC417E4B20B09370E9377A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670644Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:48.662{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=766F5FD9A4E2CB4EE0915EEE8D13A21C,SHA256=80F84C4C6A76FE6AA98B74B6CA68B110AF6B4ED29A3C56DC2F72A7ECE0463684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670643Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:48.662{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=656DA559066D156C6E8A867C1C837900,SHA256=6ED568B972FC5AECB3186F2BD84330EBC5FD4210319704BA200CA1B311ACB8C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670642Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:48.662{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=AA8059246A21FD59D466079752703F12,SHA256=D505237C2ED78194FF94D14CCCCDFB299E79BA208950B664A8CAAA47C06A7C24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670641Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:48.493{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0AE244381C4B69E0D55EE5586EBBA86,SHA256=B1F04E823E5572E269D0452308D081912DC59A88A3F6AAE27E4CE053A421D423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572067Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:48.116{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAD5B79FFEEAC5A5468C997A4A4CFF27,SHA256=63643942F80D9A2868061979957E99922D3D5C5E0A351F4346ED3309DD07A47E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572066Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:48.116{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC958DD0C3A4D88432EA44FDBAB0BB20,SHA256=EBA73D5F74AACD8FD2968A61E9AD0973F397988FC6AA160D78D96189A494B760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670640Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:48.424{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=509327FB5CC9E8C901B53B48C20CC23F,SHA256=6935368CE54527592B15A6DDDBA504607938F5DD1B08E01561A892BB41F6C4A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670639Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:48.127{7B03F3B2-7F1B-609D-E155-00000000BA01}67764520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000572070Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:49.695{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6646455F0F0B48ED1D03EEE06FD6E6D,SHA256=2EAC36BD8B3092289B272A2B19D65451040432FF8740BD6E92F03FD9831E91DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670650Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:49.524{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FB28D3E94D6924E3011896E04678785,SHA256=DED5BDB9620AAC355B16E13998B76289D7BE2B544468D0B2F7DA29E3A4126A15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572071Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:50.758{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E439A96E5BAB1FAB59A64037385E18A,SHA256=8943B56BC8A699B54CE6125241A04858EA0291620B4F0D573D8CFAF367E03D15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670659Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:50.822{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7F1E-609D-E255-00000000BA01}7448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670658Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:50.822{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670657Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:50.822{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670656Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:50.822{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670655Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:50.822{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670654Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:50.822{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-7F1E-609D-E255-00000000BA01}7448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670653Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:50.822{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7F1E-609D-E255-00000000BA01}7448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670652Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:50.823{7B03F3B2-7F1E-609D-E255-00000000BA01}7448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000670651Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:50.540{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03C1935E83E789665D4308EE33C52D47,SHA256=A944D2EBAB7DC0F074B00472030AC6D4831EA149F389A702E94F2D5B85F6E94B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572072Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:51.789{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC9C5CA813E054FD267BFCC5B9ABDE86,SHA256=6A3890F3C4934080345DF9B77AF5C84406BC46C57550C1108189E1EC3BF8230F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670671Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:50.406{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51133-false10.0.1.12-8000- 23542300x8000000000000000670670Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:51.546{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AA18B1415A1517423AB2AD03BE234E1,SHA256=C874839E9AAFE98CB300FA8CB0C087C9114B960A8C81621FF70743909845712B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670669Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:51.493{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7F1F-609D-E355-00000000BA01}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670668Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:51.493{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670667Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:51.493{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670666Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:51.493{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670665Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:51.493{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670664Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:51.493{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-7F1F-609D-E355-00000000BA01}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670663Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:51.493{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7F1F-609D-E355-00000000BA01}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670662Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:51.494{7B03F3B2-7F1F-609D-E355-00000000BA01}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000670661Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:51.192{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EFBDB5771CC0BDC86D653A9FEA59E8D,SHA256=0021B8C4DFD67889D76BAFD8E3E727F1D1D697E00800626AB3EBA7B5F6F0833A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670660Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:51.077{7B03F3B2-7F1E-609D-E255-00000000BA01}74487612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000572073Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:52.805{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C25E39B3027BE8E949D49EC76ADD4613,SHA256=00A207E5CB5E26D76C9718F1A20FA13096CE6E0D162793856E67D452EC22CA4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670673Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:52.553{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA1E191CA40FFC7B2253F531C7BA308,SHA256=16D0BE83FECC79D8C3F9AC23FCB1B6A50FAFFA855E207D45260907FA648D7656,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670672Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:52.506{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=746035797CF18E101C515E07DD6C0A70,SHA256=1E375C03D1D43F0D1B8E963253ADC3A00B37AA5D639AA07445B0CAF192FF5A7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572076Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:53.852{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08ADBD24FD740CB41AFF7AD32095D7B6,SHA256=FC19080777715C3058D9CE80787DE237ED3647BA12C2B92823493ACF0C09DF3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670675Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:53.570{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B30260AB22EA60BCAC7C6E812EFA622,SHA256=87CC02223FD31F74E53081666319349941B102A6ADC314C81D055EB98A0AE829,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572075Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:53.180{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93B821FCF3BA4FCFF0DD22864BB5FA15,SHA256=3BC34318B1ECF02AAD97D469240088109F815E82DDC99484B34BF6859A1ADAF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572074Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:53.180{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAD5B79FFEEAC5A5468C997A4A4CFF27,SHA256=63643942F80D9A2868061979957E99922D3D5C5E0A351F4346ED3309DD07A47E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670674Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:53.536{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6416BB0E03B1EFB3D10CC1907F823B7A,SHA256=26F95C66646A8A007C5D98864939014E5654FB5DA8424C9EC8EC4052BAD0A718,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572078Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:54.867{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E36BF55F0AE955CE053648D105A0DDA,SHA256=70551CFA25B760C963850CF5BD14CF98E13E94C4796CE8FD45AEAC4C647A0A98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670676Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:54.588{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9BE8A3F27DC325D1236590E70DFF3D,SHA256=CAD4036CA0284E5DED1A6462CC2BA8411E937AD559592CA6654449EFF5BE1CCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572077Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:51.764{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52751-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572079Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:55.961{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF302D18498D8423FE08732E3518E88E,SHA256=5130DFA90F846569D5E1FBB7CFBB37118144370B923ACC722812D866F621C317,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670677Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:55.620{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0650AB87DBFABD84EA691736795D5433,SHA256=7BA5CF1B67B0AEAB436C1D04162CA192EC41DCA4D5C40F906DDAC1421FFDD89D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572080Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:56.977{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D60818B48D1ABA127C388BD178CDA3A5,SHA256=E6214B2ECA19B557C00D27225A9E595A2570E8E212078B224C3905EB6E7FCCFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670679Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:56.634{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B2520CEE837CEB243425CA610B80CDB,SHA256=C4DBD8380748B54B2F1956B746BBED6A5B06A4181CC4E217235F12E29FA08F66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670678Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:56.188{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BEEDC4508E833A83E3486CE2C7CC667,SHA256=8A7A9B596FF69A6FFFA900374C906A1CCF9447BDCDCB56167BD709D3F3A0E0EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572081Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:57.992{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36B9D61079EAD1D0EAFBAE768771916E,SHA256=B49947EA7888F2AC6537EFD738B0291D0F040CF6D039E05FAEBAECA999675F19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670680Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:57.635{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=595A3A2DD12483CDD8AA4AE4B49391E5,SHA256=8C186487EBBD946B99722F7AF7CB86E1223B06F69076A019BAED69D647162CA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670682Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:58.637{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C4BA93A40104249BE5E010A64AD1255,SHA256=76F72D1C1C207D4C67F18985FE510C5D929F1B29F8D7D9A563884F1CEE4C38EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572083Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:58.180{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D46B0E55EDD5D56FE9F4CC8B78F7396,SHA256=337EF914BA20A2F7C9955CCC13FD09E45342B3E39A4D7372C0BEE95D561F79F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572082Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:58.180{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93B821FCF3BA4FCFF0DD22864BB5FA15,SHA256=3BC34318B1ECF02AAD97D469240088109F815E82DDC99484B34BF6859A1ADAF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670681Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:55.412{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51134-false10.0.1.12-8000- 23542300x8000000000000000670683Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:59.652{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475389A861BD1BB972FD3E3FEBCD2622,SHA256=3A6555C46EF795C80C9B2B85A5065CC50C52D22EF22B9DFD14159FC63557676A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572085Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:56.796{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52752-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572084Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:59.008{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C0C8017490B1B295A84CC6E1144BAF0,SHA256=041C3C0A2954D862DF4D9F87017F56CA95A629B572298051BD663C9B40834A91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670684Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:00.668{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=937656435F713EA3D46165A2D7F83A22,SHA256=94BD557B9EADA9E83A3115B41967EA2FD99AB5BC11650A06800D279B841F0634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572086Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:00.055{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F925F8AA1EA718CCC8926AB069AAD0B,SHA256=2E92FF57AB2E114699E4479384A782B3CB908B5AA18E1986FDB1887A5E877B2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670688Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:00.450{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51135-false10.0.1.12-8000- 23542300x8000000000000000670687Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:01.687{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F69762834149FFBD9A894437E10600E7,SHA256=5E3D78579FF5D9F1E07864AB13D4733FD3C0A026E684BFCFF9F72D708868ADFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572087Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:01.086{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAF4AF3CCFE8BA1619D9DD3CB749CC05,SHA256=11996E12824BAC954B97234E50CF45912A0E85F2B8257776BF5FE22A872C8689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670686Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:01.234{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D430D55689F33C4CAC1B54FBBF564CE,SHA256=38DE7FF70F14CF5D56DB629561553A39B3BC84345A8DB583AE7C348FBA2EDF0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670685Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:01.234{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0FE1B89B1A417E20B32126667510F4FF,SHA256=BC8122A7B3A13C0FF000FDA2D6C190B120C24B06640856615E3F04BE16398638,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670690Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:02.703{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCEBACFF6BF7D5AC3A20196ABCD76D21,SHA256=121E3D5F9219DCB9C3F33BE807B0B04846B079E2360197BE50E56E79800125D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572088Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:02.133{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=054C6C9C332CCE9FD6E16B0EFB8ED965,SHA256=CBA35692079FF32174923C153F4C187124F45B6C247AD45CE2E4CD540AC6323D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670689Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:02.287{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D430D55689F33C4CAC1B54FBBF564CE,SHA256=38DE7FF70F14CF5D56DB629561553A39B3BC84345A8DB583AE7C348FBA2EDF0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670691Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:03.718{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E3F3A5C21EDC6E7EA0268540114A46F,SHA256=A03B6EBF7DA3BF93BEB16221D82B3FA4DB4F6EDF3CC803F3424BB054FDAF3AED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572091Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:03.227{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB3B86A92C31C4218410CC123163E9F2,SHA256=C58EF291BB46F241678B9DFBDD0DE5447376CEC4B80FB4B01754EDF69410969B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572090Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:03.227{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D46B0E55EDD5D56FE9F4CC8B78F7396,SHA256=337EF914BA20A2F7C9955CCC13FD09E45342B3E39A4D7372C0BEE95D561F79F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572089Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:03.164{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35428A933B269C630238ADF90ABB6B27,SHA256=9F1C65E68B4375FC3627710B0022378333305E3B4E6165D8C0939921A40C2072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670692Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:04.732{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF59C3B21753602D8F3D02A0E1365DED,SHA256=D9FDB8F690503275EB296210175D91C91091995B78F129CC8D9B12B562D53595,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572093Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:01.842{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52753-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572092Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:04.180{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE6C02891CDB0BDBE681B1D9100196BE,SHA256=4333B2B0F16FE433D45EE8376CE890C75D0C6EFAAAC88C8F5D03006D29DA314A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670693Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:05.764{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EC1969B3C900AA3C71A18A8DD19A6E5,SHA256=46F4E56080A3BA1FFC79A893380B42BA079C497B732D3DE0F4AAD3D74CB53C6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572094Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:05.211{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9166DF88733DE54FABE3B64AFB6D7DB5,SHA256=AD1353480E48CD714BE8FD737DEB58DFCBEBC9B826697AD63E893B861FBC3634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670695Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:06.784{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C0BB979EE2E481672BB6F24E23879E2,SHA256=143A3E4E514738325DA45DA0C597D79509116ED1464D99608107564326A57B8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572095Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:06.242{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E10336F80C3ADD52F60F65676517E6,SHA256=040476ACF089E6F207DEF3C0BEC9178B1F4440A7DEC2A2E7C6F2033FCBC38B91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670694Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:06.264{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B067A9E18C018D32644BFDE1A86AB81F,SHA256=F4BA54D8BACF464D577ECC07E8C90385F55D100CD093AC04B491E397F75551A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670698Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:07.785{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=508EFD8810D74EDB1A0E0D5B77E761BA,SHA256=339A2971398DE9091C0BECC9049E63508E6A2008A927BCF2EDC0ABC51D99ABC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572096Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:07.271{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44F1D849479B0BEE81393E33F1A2F33E,SHA256=35AF58229C7074A6D0F2E3E820EE75DA206A78ADB45CEE6B983458118F4A9EC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670697Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:07.286{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BA60ADCF32C6CBEB344C8452AF7E381,SHA256=C81786EFE5D131A6083D60A5E1D27357D98EE8047C2EF235887070B06F898167,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670696Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:05.493{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51136-false10.0.1.12-8000- 23542300x8000000000000000670699Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:08.801{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71F21D2227D43662DADFB7EE1FF1C364,SHA256=551657B3A589155328B17A9EDE090B2DB45592A70FD1851755CDB72CC33668B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572097Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:08.334{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44119C1486C3F5BD9919F1E372EA2069,SHA256=B5D3EB1CCB7E537F7B756D7D066E1A835957917363A6C111AAB96B04D270DBD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670700Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:09.815{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D210176198F33979A73343BFA0A52398,SHA256=F7ACCCD4832F32D19BB97855B1CC0714A897FB13C9413B51DD213B85438DD783,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572102Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:07.715{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52754-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572101Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:09.474{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=21413888F705151D9C338924607AC714,SHA256=931A9A8B565FB6ECAC49F466A1F61469720C8B22F1B6D3AA0D81DFC6496408DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572100Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:09.381{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32C234E06F85C62842BC733451093EF8,SHA256=71C7AF9056E13FF3F600078D7477F02871C17BD07A7C42ADB0C718BB43191327,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572099Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:09.131{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BA7010844630EC7AA7B651C3852D045,SHA256=8FF48511556DD6FBC2895EC722104B1CA01831A9D347812646FF0C3503C266DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572098Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:09.131{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB3B86A92C31C4218410CC123163E9F2,SHA256=C58EF291BB46F241678B9DFBDD0DE5447376CEC4B80FB4B01754EDF69410969B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670704Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:10.865{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A347488379C29FF7BB9FB00CC5771F3A,SHA256=7B795A1C050C5C939F4415CE82A4AFBDCA5E8594394635A9897275759F818223,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572103Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:10.381{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4D20B6E8FD23BCC29A6686EDF252B4A,SHA256=7248B20F22AB68C9D5933B640EA232BB6E89A4A349C346690AEC2E12593B608D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670703Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:10.084{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670702Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:10.084{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670701Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:10.084{7B03F3B2-D0C8-609A-0B00-00000000BA01}6327824C:\Windows\system32\lsass.exe{7B03F3B2-D0C8-609A-0A00-00000000BA01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000670708Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:11.873{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49A168776A4D713A2FE5AFC4C9502B6A,SHA256=0DD2AE5137E3869393B039534029BD022995F32DAC090474A5EAEE39B4868A8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572104Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:11.396{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F40E441D8144A9F417BEBF8FD53F5B53,SHA256=39354B913524F1907F992693B013853C096300AAD13371E3C8C326AF19D713D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670707Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:11.108{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADAD6E8CA6C517B59D955F82B5C8D605,SHA256=D2A049E50FF62015228DEB5A66BF03923BB89D00DBC608EC0DECF767E627EF46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670706Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:11.093{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C145C4D5E2C35FD12561ED0E19132289,SHA256=79D44ED3EB87BA76E1F3488B4ECD9D71D87F354B2066BC4F69B4F4C5EF377C31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670705Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:11.093{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=099AA66755E3EFC7ED12B8D2D756543D,SHA256=0FACF2F5C750CAB0C859B857FF22C0EE2BE59BBF16940110F349DA12B92B3B22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670712Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:12.890{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6A336A9C1BCFEA53ABEFB31213AA25,SHA256=AF4C1D3BE6856FF9800D52958F1434C58938DA22DC4D04703DB69427C429180F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572105Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:12.412{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDD095AC2C4B4D9D682775FAC21C0157,SHA256=8A67E566872808B9E9B7B7D50C0069180D428E73C458CD4059654F2B8B56A6D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670711Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:10.350{7B03F3B2-D0CA-609A-1400-00000000BA01}1076C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-18.attackrange.local51137-false8.240.38.126-80http 354300x8000000000000000670710Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:10.341{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local54980- 23542300x8000000000000000670709Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:12.191{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AEE2CF00636F965E7A4E3F8C6052994,SHA256=BE533C17224589FA81C7656B9881B8348C88168013FD05A828B0B9ECEB06F1CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670714Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:13.905{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B21564AB43CBDA726366886DA286003C,SHA256=A67159126E998432F8E9133FC06023A0CB97EC73139A4E691E385ADA9DB9589A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572106Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:13.443{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C81AB95BD768CD9C14D504F9D5C6AD0C,SHA256=4FC0C03E152B2428CB4C1855B3421A7E535A2B4B10FE19B409F59636CCE0AC34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670713Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:11.416{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51138-false10.0.1.12-8000- 23542300x8000000000000000670717Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:14.920{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A552620B0770841A0B6682ED79E2C6F3,SHA256=D5536AF509D483178264B4A469E1731FDF306455CA14BBA2D144764621976984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572109Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:14.443{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=965DC9E9C17CBA3C675D7D387A6C3A43,SHA256=877B1A7F0643C361DE0C486A9F95E80E6C2F9598C1DD51CA43FDA08A0C742F72,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000670716Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:14.220{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\SiteSecurityServiceState.txt2021-05-13 14:34:13.883 23542300x8000000000000000670715Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:14.220{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\SiteSecurityServiceState.txtMD5=5906967C1034B0D6EB40F53FCBFFA07F,SHA256=9C1BE92930D16E7E37F376A15B616970B55FA82800ED038AFCE5F9B80B640BBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572108Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:14.209{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D5498F67CDFAD47241AF2E65B936A0A,SHA256=296B38AE01353F87825439B300DEFC1853EB343C3A6860C7D0CADA4D9802B453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572107Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:14.209{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BA7010844630EC7AA7B651C3852D045,SHA256=8FF48511556DD6FBC2895EC722104B1CA01831A9D347812646FF0C3503C266DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670718Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:15.949{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62D7B07337A4B69674F1B01B2C0E7DF5,SHA256=C0806FA99B508F71942685A706380E66E6DAC2071E453003675350DEBE1E29EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572111Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:12.824{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52755-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572110Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:15.490{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE0413D62B6B7657A16C5F7FE8E775DB,SHA256=3A08CDEF80A1045F80188246788A6962AA66C382515093186CBD7C0AB621AEC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670719Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:16.951{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D5BC1C2CBAEBB05969893FE5C65C395,SHA256=6412C6D2A88C237CE9194F85EF2D8E7671427DA8C974A2964D663C2320347343,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572112Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:16.615{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4588EE786C35784B46F9E7B8EEB643AE,SHA256=24F159827D195EABB258D3D153D18366612AB44DD3A8054018DD731D077F635B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670722Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:17.969{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=315F1202F1B4734F63CE28F2AF79E015,SHA256=24EE77B414064CB3A8C7071D9F2804A7CCE1B2B554425B45949D3973254A6F52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572115Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:17.646{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E9DD4655745B4853FC1B701EEE49D38,SHA256=0379AA230037F6E6802196B99A81858998D0851D96E846D609F46770CA9C8298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670721Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:17.236{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC7E804C76DFEC9DA97B92B1957D656B,SHA256=20F35AFE7EAD0EEF06203C548CC3D6A66ADF6421FC4A6D02B9A580ACCCE72A60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670720Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:17.236{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D64D0F7B92BD1170B5682510A5EF77A,SHA256=0307810FD2219E93A024AF1165117B70F4E1A7DB6CA3E39B258348295F64E2DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572114Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:17.396{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D4BF469587FAACEA227339B31C1BB287,SHA256=EB916CFCABE9BD0B6C9D825FEA2C10046BE299B7D7010DB78E759E41CAD63DB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572113Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:17.396{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E481D82249C8DC07AB59646C6802CF2F,SHA256=0C7A943254953900ABF5BF565299E0FC36A66FCA4FC88D8EE12E6F2F45330D63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670723Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:18.988{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43345008732D2772A31BDCB2BC61CB16,SHA256=447A5873C6C5C0F9A161A8929F3E15841F4ED1300E08D87F0209B75662454545,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572116Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:18.662{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3777C5A7885C1BB1048D721CDB4DEE9,SHA256=4ED2E642D95470DE3AC93B6F1618D75093F9C4B8C53086B8D42EA181D73114C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572119Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:19.662{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC09DC22F5ECF44D5DC1C55E046E1F79,SHA256=292A9D66E15A9F14703BF91A4B288050B2B2B164E70012D82BF43DDA35387654,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670724Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:16.479{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51139-false10.0.1.12-8000- 23542300x8000000000000000572118Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:19.271{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B64076371FF0681BDDA2CFABB7684C5D,SHA256=9BC81DCE92F7425E226497B6D9F710EEF5B77260E2937EDD9586FF0BD5659421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572117Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:19.271{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D5498F67CDFAD47241AF2E65B936A0A,SHA256=296B38AE01353F87825439B300DEFC1853EB343C3A6860C7D0CADA4D9802B453,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572121Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:17.887{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52756-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572120Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:20.677{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3593A6E28C04F9754254887EBED948CA,SHA256=D5DF397441EB88D26B6FCA9BCABBEFEC05BF29EAC22375254211C337AA95E486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670725Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:20.003{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B4555840D090DB38839121473796446,SHA256=2CF04298E32D793FAF02C1413C6A361956255166665E2A2A2B29F43398E9FB19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572122Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:21.678{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4484801A6D497DB8A72FEEF90696F2DF,SHA256=07364B7199262933F3D454E4B7A9ED988D651B9832C9E2338598B8F97F0D46E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670726Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:21.017{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=912E34891568A526224F749FA0B30DD4,SHA256=116C9FF293DE1F55C7C9C4D0858A925303262E97C4F93599DEDA521D2087FE79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572123Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:22.693{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39B0F4833491F94414353E0CABDA5584,SHA256=E6FC0E8F1CBF5B4D4BD2B5E246809EDBB6A448ABF00C93FECBC3F6AE78719C42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670729Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:22.300{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A15E9A02312E07BD61301A0FF998702,SHA256=E9362C47115CAB61D2968E6DD6B577BBAB3AF8442B6FDB796BE0A7661B9C09DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670728Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:22.300{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC7E804C76DFEC9DA97B92B1957D656B,SHA256=20F35AFE7EAD0EEF06203C548CC3D6A66ADF6421FC4A6D02B9A580ACCCE72A60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670727Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:22.066{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D81E16BFC90F43B5AC3919B81382BBB1,SHA256=E0FA6191DCFDCD8C53DF1976B8AEF8F7FDA3684FCC11FE6BF58109D008C501B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572124Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:23.724{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A964D1D38D7C5AC11DAEE388EAE5FCC0,SHA256=316E8202F9576218E17A907B3C6690FFB70377996A30AF530BD6A55C80212115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670730Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:23.084{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC8744481F52C681781F38CC8B7C8738,SHA256=AC3D2C0C228112CE56B7F90173C7368062F5A0DCF3FD0A5D4523B9F4F2E20AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572125Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:24.756{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB74EDA826D033352356BE763349B13F,SHA256=9E1F5E7F45115C0AC64BC89615BDDC04389A719F7EC4747B9E4423C2E6348644,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670732Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:22.309{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51140-false10.0.1.12-8000- 23542300x8000000000000000670731Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:24.130{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=245832A51B9A5D2BE3862F24A9573CEE,SHA256=A9E130317290588E25465DC21E0CA0BB78EF845D0C50CD18BBA388FED40FD7FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572141Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:25.834{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7F41-609D-E850-00000000BB01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572140Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:25.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572139Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:25.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572138Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:25.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572137Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:25.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572136Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:25.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572135Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:25.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572134Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:25.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572133Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:25.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572132Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:25.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572131Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:25.834{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-7F41-609D-E850-00000000BB01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572130Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:25.834{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7F41-609D-E850-00000000BB01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572129Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:25.834{E1BD9FC2-7F41-609D-E850-00000000BB01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000572128Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:25.818{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F35E329A46EAAE4DEC7A1235DF1BD64C,SHA256=974ADE5701D9259D29904213A50056C8061BD75FC93D97FD9EFE0F989B1727A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670737Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:24.445{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51141-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000670736Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:24.445{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51141-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 23542300x8000000000000000670735Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:25.213{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A15E9A02312E07BD61301A0FF998702,SHA256=E9362C47115CAB61D2968E6DD6B577BBAB3AF8442B6FDB796BE0A7661B9C09DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670734Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:25.182{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670733Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:25.144{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E8F4D2708984465B771684EC13B7A4,SHA256=D81AC845AD27921A8351EB0C38373305126707E3F798FD4C67F84644163BF474,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572127Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:25.006{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C732CE2CC6DCA3FF033D5AB539A6AAC,SHA256=6696318B7D7EABB1313E773402CD6C411D62F151749676AAB55117C00FC8A293,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572126Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:25.006{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B64076371FF0681BDDA2CFABB7684C5D,SHA256=9BC81DCE92F7425E226497B6D9F710EEF5B77260E2937EDD9586FF0BD5659421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670741Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:26.813{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670740Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:26.813{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=4CC08D40D007DCD6A104F5AB504C9B9F,SHA256=96236FD9E8F959F7DC929B70221C6328C113A96FC7071155E5436A22EFB8B0BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670739Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:25.406{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51142-false10.0.1.12-8089- 23542300x8000000000000000670738Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:26.166{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06777BF29951812187CECEFBBE91D905,SHA256=ABFBB63077EF204A15CFE301BCC6613ACA03BE983A60A4AFE8C6C5FC389632D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572154Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:26.502{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7F42-609D-E950-00000000BB01}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572153Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:26.502{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572152Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:26.502{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572151Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:26.502{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572150Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:26.502{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572149Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:26.502{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572148Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:26.502{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572147Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:26.502{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572146Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:26.502{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572145Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:26.502{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572144Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:26.502{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-7F42-609D-E950-00000000BB01}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572143Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:26.502{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7F42-609D-E950-00000000BB01}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572142Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:26.503{E1BD9FC2-7F42-609D-E950-00000000BB01}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000670743Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:27.313{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45FD2077F2C56B0392ADDF686A151165,SHA256=C2AE10C9823C4DA7F6918DCD88BB5D6D5EFD05D52CF3199EDE1701596B4CB031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670742Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:27.182{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F5332E7F092C3135105C8AAF25CB0F7,SHA256=DF92FA880248D2C923C1B2CA89AEDBCE569AFB219AE14EF2D1333D33ED8BF30F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572171Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:27.299{E1BD9FC2-7F43-609D-EA50-00000000BB01}3196896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000572170Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:27.299{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2139F97107DB6E7098E73A803D791557,SHA256=AD5FBA736D2E397CC61ECC7E4F6357D7D4530128AF3063EA6B1C9BCD1EC23C51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572169Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:27.299{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C732CE2CC6DCA3FF033D5AB539A6AAC,SHA256=6696318B7D7EABB1313E773402CD6C411D62F151749676AAB55117C00FC8A293,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572168Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:27.174{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7F43-609D-EA50-00000000BB01}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572167Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:27.174{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572166Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:27.174{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572165Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:27.174{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572164Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:27.174{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572163Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:27.174{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572162Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:27.174{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572161Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:27.174{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572160Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:27.174{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572159Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:27.174{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572158Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:27.174{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-7F43-609D-EA50-00000000BB01}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572157Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:27.174{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7F43-609D-EA50-00000000BB01}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572156Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:27.174{E1BD9FC2-7F43-609D-EA50-00000000BB01}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000572155Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:23.637{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52757-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572173Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:28.174{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51557CB86FC373ABEAEF8E6AD00108C6,SHA256=5E03B32C46FED0C434A7815CD1FDEDE76FD220DB90FC8DCC5BF7974D83CB0F2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572172Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:28.080{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACAB0DB9A951AC6F20880B09A84F2A27,SHA256=0C588DC034144932D4156F5194E5D03C5616A9717FB9BDC1F8F92302F9B4F0AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670745Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:27.327{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51143-false10.0.1.12-8000- 23542300x8000000000000000670744Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:28.196{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AAC756A221262DD99243F705C43BACD,SHA256=1A2B1469CF8DF91D17BA5470F18DD334B682F602BDC16F021E07F5B7E68D2DCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670746Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:29.211{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72410A362D2DC048CAD95A0585AE27F5,SHA256=2BF12A1EF9D193D73865E54548F224220751FB156629CBF70AB0DFC8AE5AF2B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572175Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:29.768{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572174Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:29.096{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E028DB3FB183217B46ECD1CB693D6EDD,SHA256=02A1A68268E9CFADB1EDAA5B94CC3D4632EB49902649B5DA245612701F38CE45,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000670750Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:34:30.541{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\BD98497A-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_BD98497A-0000-0000-0000-100000000000.XML 13241300x8000000000000000670749Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:34:30.525{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BB71F2B0-B2FD-473E-8F6A-A6267F6C421D\Config SourceDWORD (0x00000001) 13241300x8000000000000000670748Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:34:30.525{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BB71F2B0-B2FD-473E-8F6A-A6267F6C421D\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_BB71F2B0-B2FD-473E-8F6A-A6267F6C421D.XML 23542300x8000000000000000670747Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:30.241{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E88FA3D861CE2F12BB8F9C986FD83752,SHA256=5CC1B96D23A52C78371FE02FE3F5CA4E0BC2941DBE0C6E412D3146310A0AE306,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572179Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:29.383{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52759-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x8000000000000000572178Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:28.649{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52758-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572177Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:30.109{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9047A5ECE5CDBA96DFCAE894F041C97D,SHA256=E7CE09DFB1D4DC272679100F81ED80E5655724187304919A5E117E132605286D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572176Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:30.018{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C72FE8ACF77DF2053E9EBA3CEB23D14,SHA256=14CAECBCD1535ECA6E2B5007D44CF9EBF867EC4B7C072A0E134E972D68AFE1C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670752Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:31.640{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F2B77DC934E1BC1E2FB9F1F125539C2,SHA256=FC40C9D4E1EDAEFBB63B9921A0094C2F3E363D55406F870685FC29105029C869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670751Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:31.261{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=322761FB61893A1D5C8B3E4A4A351070,SHA256=3F92B1537686BD703E224763C3F54C718299B021DF3DB5B7419E2B636EC47E32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572180Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:31.126{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA5E22790DD6968B1D4F9447084E5F8,SHA256=6AA361DE7B6E0F5C3D9217805B729CE1C8C5A353864141A691D0D2ADB6946560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572181Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:32.188{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4428FAEE7A5B13D77E4ADB89B4BBCD29,SHA256=2A28489B469F23F68A77E8782D41676C10B0F33B67E7EBBB78EEAFEA4210DF13,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670759Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:30.796{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51146-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000670758Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:30.796{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51146-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000670757Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:30.789{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51145-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000670756Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:30.789{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51145-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000670755Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:30.773{7B03F3B2-D0CA-609A-0D00-00000000BA01}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51144-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local135epmap 354300x8000000000000000670754Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:30.772{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51144-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local135epmap 23542300x8000000000000000670753Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:32.276{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFDD55D7740754D1731A034A2454371D,SHA256=0728666BFDD32E042C5A70DF5718C4D47E7A9D14CD14307AC64C5717C59F7F21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572182Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:33.251{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15A5431F9A498613E652734F61A773F3,SHA256=560A0E35CA4B9335CD59D23B7107FEA56A244F2F9E9554BF27E20E9DAD2B6EBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670762Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:32.354{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51147-false10.0.1.12-8000- 23542300x8000000000000000670761Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:33.291{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC79ECED4C077C5DC28D73B597EEE67F,SHA256=379E6A49160D8C08C55C294632C21075F8296B511426ABABAD24C03C1CE02F00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670760Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:33.122{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69C122082A006E2A00771DDA3E1771F4,SHA256=3DC1DE06C93DC35CCC1A547E36538E0C423A70CBB133E050D2F2DFFEE91EFBE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670769Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:33.426{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-18.attackrange.local57873-false10.0.1.14win-dc-18.attackrange.local53domain 354300x8000000000000000670768Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:33.426{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-18.attackrange.local53domainfalse10.0.1.14win-dc-18.attackrange.local57873- 354300x8000000000000000670767Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:33.426{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:c890:a4f4:8987:ffff-57873-truea00:10e:7419:488b:cfff:1521:8400:89-53domain 354300x8000000000000000670766Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:33.425{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local57100- 354300x8000000000000000670765Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:33.424{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local64203-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domain 23542300x8000000000000000670764Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:34.305{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E785DC328394686EA9C3A256BBF9F02,SHA256=F5BB4E83D3EEC4F5128C9CCF1FB76D2C1BF908856522D416D037E090921CDBAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572183Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:34.266{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE6DEFF04535507F09968D2E6867EDF4,SHA256=DB94A9D5AF0E1F3BB12B0D8B8ABD99D8BFEB3B956BFC39B7341CD03039F8CF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670763Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:34.205{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34D1925581A3949800A9CC8E5154B5B8,SHA256=38EA58E41AA0AFCCC2D3FFF812CDF526D357AD82A85FE78EE0C24F880B3E5E37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670770Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:35.320{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9956581E8BA0F5BA7F5D1C9F7F790795,SHA256=9FB4A88AFF196A615F2DFB85BAC7D701A877127E7EADDF97555AB6F55E03E8B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572211Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.876{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7F4B-609D-EC50-00000000BB01}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572210Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.876{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572209Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.876{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572208Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.876{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572207Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.876{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572206Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.876{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572205Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.876{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572204Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.876{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572203Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.876{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572202Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.876{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572201Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.876{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-7F4B-609D-EC50-00000000BB01}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572200Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.876{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7F4B-609D-EC50-00000000BB01}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572199Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.877{E1BD9FC2-7F4B-609D-EC50-00000000BB01}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000572198Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.329{E1BD9FC2-7F4B-609D-EB50-00000000BB01}32564024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000572197Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.298{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=838EAE69999C931EB5AF60824C96FE2F,SHA256=57CD9988DEF69E46A7724051574184BE9DF9274A32BFDE14CC9278D4A0B683D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572196Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.204{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7F4B-609D-EB50-00000000BB01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572195Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.204{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572194Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.204{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572193Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.204{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572192Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.204{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572191Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.204{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572190Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.204{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572189Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.204{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572188Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.204{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572187Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.204{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572186Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.204{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-7F4B-609D-EB50-00000000BB01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572185Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.204{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7F4B-609D-EB50-00000000BB01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572184Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.205{E1BD9FC2-7F4B-609D-EB50-00000000BB01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000670771Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:36.334{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8FF3054B9447E3BDF840C2EAE5E8EA0,SHA256=A525B79E031B1A75C3F7650F5720F58C33675C9FD425ED7F2A97F8AB43679E56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572229Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.641{E1BD9FC2-7F4C-609D-ED50-00000000BB01}3044184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572228Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.516{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7F4C-609D-ED50-00000000BB01}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572227Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.516{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572226Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.516{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572225Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.516{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572224Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.516{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572223Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.516{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572222Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.516{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572221Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.516{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572220Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.516{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572219Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.516{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572218Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.516{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-7F4C-609D-ED50-00000000BB01}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572217Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.516{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7F4C-609D-ED50-00000000BB01}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572216Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.518{E1BD9FC2-7F4C-609D-ED50-00000000BB01}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000572215Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.298{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B71A51336AF55A6A4AF38EE5E2B8EFA4,SHA256=E904C40A35E51FCFC9173FD022EC79628BBB3C274F95EC2E890E9FBF12412992,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572214Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.141{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=300DEE8736BC50F7F27B82DF9BB5400A,SHA256=4BECC94E1D0B6D7E43AC425E11971352E4E06A1BFC2ED30F961B5AF2BE8D24A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572213Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.141{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=625CAD1AC0310454DF2E1931586FF772,SHA256=058543D3DA6530E5C33BA6E0C18E7FA2D366EE9B2635E9049C42508829D2C865,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572212Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.001{E1BD9FC2-7F4B-609D-EC50-00000000BB01}39562828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000572245Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:37.751{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=300DEE8736BC50F7F27B82DF9BB5400A,SHA256=4BECC94E1D0B6D7E43AC425E11971352E4E06A1BFC2ED30F961B5AF2BE8D24A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572244Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:37.657{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67357005E564189B1DBB766632511D8E,SHA256=78DF9EE2172BA90CC6D2135DDDCAA08B2DF2036EFFFFD51DDA50610A876E7529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670772Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:37.354{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CD6F9A10F275B0E2DD549E467D40B91,SHA256=6B2B1CEB2060B824353FF9BCADA3D1DE810F0BDDEFE6898A4FFA8BBBB45E5316,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572243Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:37.188{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7F4D-609D-EE50-00000000BB01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572242Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:37.188{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572241Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:37.188{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572240Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:37.188{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572239Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:37.188{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572238Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:37.188{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572237Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:37.188{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572236Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:37.188{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572235Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:37.188{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572234Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:37.188{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572233Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:37.188{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-7F4D-609D-EE50-00000000BB01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572232Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:37.188{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7F4D-609D-EE50-00000000BB01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572231Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:37.189{E1BD9FC2-7F4D-609D-EE50-00000000BB01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000572230Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:34.679{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52760-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572246Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:38.673{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F3564429F87D93C7878D38C038A1C54,SHA256=AEBB5DAD73390D979EF7D5458A50FF7E7FC8B0CE13BCFF6D5E4EA92A08E98F50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670774Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:38.374{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4654C113208EF451BA89D608E785567E,SHA256=05BA869D77A94E4662A43A8DF2484797F9B6C6686D2921F6824D812FC20E15BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670773Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:38.151{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94D7CFD8C6C6556DED3B2E4CE707CF62,SHA256=959F6898417D62CE7CF16D7C29869DE709577DE216DDE22C4AD65E91F21421E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572247Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:39.688{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=747F6FE9987CE194DBBAF30FD4AABBC1,SHA256=C0732537F56B6BF4F652C81AE4CACE245E76D47942F9851271F54C82A47CED6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670779Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:39.904{7B03F3B2-31A0-609C-522D-00000000BA01}18764336C:\Windows\Explorer.EXE{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802640DD8C8)|UNKNOWN(FFFFF956C4EB4A38)|UNKNOWN(FFFFF956C4EB4BB7)|UNKNOWN(FFFFF956C4EAF241)|UNKNOWN(FFFFF956C4EB0C0A)|UNKNOWN(FFFFF956C4EAEEC6)|UNKNOWN(FFFFF80263DF4E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000670778Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:39.904{7B03F3B2-31A0-609C-522D-00000000BA01}18764336C:\Windows\Explorer.EXE{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802640DD8C8)|UNKNOWN(FFFFF956C4EB4A38)|UNKNOWN(FFFFF956C4EB4BB7)|UNKNOWN(FFFFF956C4EAF241)|UNKNOWN(FFFFF956C4EB0C0A)|UNKNOWN(FFFFF956C4EAEEC6)|UNKNOWN(FFFFF80263DF4E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000670777Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:39.904{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFa79d253.TMPMD5=36DBBADA813EDB200C2B5A8128054E48,SHA256=F4E0DB2CD90C5DD2683AE772A460616D1F0DB8B7E1C978F725E37B250DA33754,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670776Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:37.379{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51148-false10.0.1.12-8000- 23542300x8000000000000000670775Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:39.389{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ACD9CCFB2FF1FD15ADC90C011574839,SHA256=A296A2EE17B4F439E10149EE3D185478009EAD39D0066EE35CBA1BD47F0EA24A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572248Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:40.688{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51BA0768BE88443021E0E8C93C12DDC1,SHA256=6D3456B8B7791F9030DBD25A58A9EF753F0E07048A31EBED253E81EBFDABCF43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670783Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:40.877{7B03F3B2-D0CA-609A-0D00-00000000BA01}9126412C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670782Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:40.877{7B03F3B2-D0CA-609A-0D00-00000000BA01}9126412C:\Windows\system32\svchost.exe{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670781Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:40.877{7B03F3B2-D0CA-609A-0D00-00000000BA01}9126412C:\Windows\system32\svchost.exe{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000670780Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:40.393{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4993473BC662E0352A259C4693A1277A,SHA256=4EE68EA820F552B81D96FC7D5C9841769A2B6A46AC11F0B63D8729AE813999CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572250Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:41.688{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FDE77099F64E78A7A1B51FF1E30AEE3,SHA256=30C1D294A6C69E177580FCAACCC09D86C3591FC1F95ACCD1DAA2F6A793A42A23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670784Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:41.408{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CBFC13944D986CD0FE81B45FA8E72B6,SHA256=3753C0DE5B9EA0F5BF65ADC48A3D4F9CC333DDE2BC8FB596958795D1A51EBA15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572249Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:41.173{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8B74273E729F8894A82E4777F01F1B9,SHA256=98468127434EE1438C670F23DFD83ADD9A2AFF66688FE022E4D2AEDE09E962E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572252Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:42.688{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACC747D05FCECBF6A797B29DBD113E1B,SHA256=A1CBB3F4DB92E9E11B7513339007E22F8E5572A0B2E0D675A767A48A5FD3C6C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670786Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:42.422{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=563886760B3F92D7A6417C52914B147A,SHA256=11FBB17FCE9EA634EFF0F2F91684E734F4927363118B204EF277A10356F10F8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572251Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:39.773{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52761-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000670785Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:42.322{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A495B98FAD0469174E6DCA79DDCE90A,SHA256=B7FAEB7CE7EA017D05449E5E5886FF0015E01A5169FA1D38D8E77FD3CB8DF82F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572253Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:43.735{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F632C6A38C57894F0A86012DB95EE97D,SHA256=19BDE7356933FAF2792ED3AA5F071A05B045C5393A7822B1D274BE6BA7E1D73A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670787Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:43.437{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D3C42B1B2443E05E61B24FBD3B46B2,SHA256=21E34CAE73DFB8A2C83F2060C3230B75088D65AB9043C8AAF80A826B4F9E490C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572254Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:44.735{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF869841CD8D6EFE16E8E51DFE4F663,SHA256=B81ED30C6526EC59579EB5BC9A727A8B147B282CDDA8B3FFF046BD73A33F2D19,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670790Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:43.383{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51149-false10.0.1.12-8000- 23542300x8000000000000000670789Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:44.454{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A90C786D195D490587C75736381E08BC,SHA256=A2E7BDB237EEB42F95587D23F3BAB9CCD077ACA65A5B9013260B8180431E33CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670788Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:44.174{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86D4EB1E15B2273BDA62F93D6DC89BD6,SHA256=D18BD34DC9738E9F505D187B84CB0BA306B05E9AC37EB013257659BB88BBC127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572255Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:45.735{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C1178B4C9A6091BF6B9BBC09653EC0E,SHA256=82E08C69F19764EDA8DF99922EEB6DD7CF02894AF940ABFB1767B6FDC3DB8B7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670809Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:44.322{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local55209- 10341000x8000000000000000670808Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.755{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7F55-609D-E555-00000000BA01}7620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670807Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.754{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670806Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.753{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670805Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.753{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670804Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.753{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670803Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.753{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-7F55-609D-E555-00000000BA01}7620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670802Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.752{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7F55-609D-E555-00000000BA01}7620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670801Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.752{7B03F3B2-7F55-609D-E555-00000000BA01}7620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000670800Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.505{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70CC36F2AAE4EE912C4E4D219A264B39,SHA256=C09BDA262738D710A1C9993FFF72189C7368E54325F932D9F3AD2E365EE9846B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670799Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.257{7B03F3B2-7F55-609D-E455-00000000BA01}24164728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670798Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.074{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7F55-609D-E455-00000000BA01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670797Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.074{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670796Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.074{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670795Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.074{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670794Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.074{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670793Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.074{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-7F55-609D-E455-00000000BA01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670792Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.074{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7F55-609D-E455-00000000BA01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670791Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.075{7B03F3B2-7F55-609D-E455-00000000BA01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000572258Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:46.739{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB2D1E7C51F179496D5B440F6F1DF687,SHA256=FA043F89E6017971F31B6BD200AC43E99628E06DD9630270B734368BC7BEE980,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670819Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:46.520{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9891F0E3A353588D574736B6D25D3FB,SHA256=09BA76F40702A1C02F3F8BE73F40C85CF9CD02A2C62866A156DA45EE0A78B2B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572257Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:46.282{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20BD305815CA0CA3BD0BD32EFBC477F9,SHA256=CC839DE6240E22E77A77BA9D0CA81BC95B45F5112CE09070521936312B4D3E43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572256Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:46.282{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9009432DCE40398EB0271DD3854BDCF9,SHA256=A67662A44A4E6B58A31CD88335B279E0649C51EEE2F98E890E137E77C6FAB743,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670818Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:46.419{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7F56-609D-E655-00000000BA01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670817Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:46.419{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670816Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:46.419{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670815Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:46.419{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670814Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:46.419{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670813Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:46.419{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-7F56-609D-E655-00000000BA01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670812Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:46.419{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7F56-609D-E655-00000000BA01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670811Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:46.420{7B03F3B2-7F56-609D-E655-00000000BA01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000670810Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:46.088{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FDEFAF7D96FBD983C64BCB54F0A02FB,SHA256=A2C1389CFE16C3ADDC36C1FF75BEF305B60B7B0797FFCB1E71DA5CBD664D4A9C,IMPHASH=00000000000000000000000000000000falsetrue